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Abstract. Many problems can be specified by patterns of prepositional 
formulae depending on a parameter, e.g. the specification of a circuit 
usually depends on the number of bits of its input. We define a logic 
whose formulae, called iterated schemata, allow to express such patterns. 
Schemata extend prepositional logic with indexed propositions, e.g. P\, 
P\+i, Pi or Pn, and with generalized connectives, e.g. AILi or ViLi (called 
iterations) where n is an (unbound) integer variable called a parameter. 
The expressive power of iterated schemata is strictly greater than prepo- 
sitional logic: it is even out of the scope of first-order logic. We define a 
proof procedure, called dpll*, that can prove that a schema is satisfiable 
for at least one value of its parameter, in the spirit of the dpll proce- 
dure [12]. However the converse problem, i.e. proving that a schema is 
unsatisfiable for every value of the parameter, is undecidable [2] so dpll* 
does not terminate in general. Still, we prove that dpll* terminates for 
schemata of a syntactic subclass called regularly nested. This is the first 
non trivial class for which dpll* is proved to terminate. Furthermore 
the class of regularly nested schemata is the first decidable class to allow 
nesting of iterations, i.e. to allow schemata of the form . . .). 



1 Introduction 



The specification of problems in prepositional logic often leads to propositional 
formulae that depend on a parameter: the n-queens problem depends on n, 
the pigeonhole problem depends on the number of considered pigeons, a circuit 
may depend on the number of bits of its input, etc. Consider for instance a 
specification of a carry propagate adder circuit i.e. a circuit that takes as input 
two n-bit vectors and computes their sum: 
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n 




where: 

Carry, = C\+i ^ {A, A B-,) V {B; A C\) V (^i A C\) 
® denotes the exclusive OR 
Ai,. . . ,Ar, denotes the first operand of the circuit 
Bi,. . . ,B„ denotes the second operand of the circuit 
Si, . . . , Sn denotes the output (the Sum) of the circuit 
Ci , . . . , Cn denotes the intermediate Carries of the circuit 

Presently, automated reasoning on such specifications requires that we give 
a concrete value to the parameter n. Besides the obvious loss of generality, this 
instantiation hides the structure of the initial problem which can be however a 
useful information when reasoning about such specifications: the structure of the 
proof can in many cases be guided by the structure of the original specification. 
This gave us the idea to consider parameterized formulae at the object level and 
to design a logic to reason about them. 

Notice that schemata not only arise naturally from practical problems, but 
also have a deep conceptual interpretation, putting bridges between logic and 
computation. As well as first or higher-order logic abstracts from propositional 
logic via quantification, schemata allow to abstract via computation. Indeed, a 
schema can be considered as a very specific algorithm taking as input a value 
for the parameter and generating a propositional formula depending on this 
value. So a schema can be seen as an algorithm whose codomain is the set of 
propositional formulae (its domain is the set of integers in this presentation, 
but one can imagine any type of parameter). Thus schemata can be seen as a 
different - and complementary - way to abstract from propositional logic. 

If we want to prove, e.g. that the implementation of a parameterized speci- 
fication is correct, we need to prove that the corresponding schema is valid for 
every value of the parameter. As usual we actually deal with unsatisfiability: 
we say that a schema is unsatisfiable iff every propositional formula obtained 
by giving a value to the parameter is unsatisfiable. In [2] we introduced a first 
proof procedure for propositional schemata, called stab. Notice that there is an 
easy way to systematically look for a counter-example (i.e. find a value of the 
parameter for which the schema is satisfiable): we can just enumerate all the val- 
ues and check the satisfiability of the corresponding formula with a SAT solver. 
However this naive procedure does not terminate when the schema is unsatisfi- 
able. On the other hand, STAB not only terminates (and much more efficiently) 
when the schema is satisfiable, but it can also terminate when the schema is 
unsatisfiable. However it still does not terminate in general, as we proved that 
the (un) satisfiability problem is undecidable for schemata [2]. As a consequence 
there cannot exist a complete calculus for schemata (the set of unsatisfiable 
schemata is not recursively enumerable). Still, we proved that stab terminates 
for a particular class of schemata, called regular, which is thus decidable (this 
class contains the carry propagate adder described previously). 
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An important restriction of the class of regular schemata is that it cannot con- 
tain nested iterations, e.g. VlLi VjLi P'l ^ Q]- Nested iterations occur frequently 
in the specification of practical problems. We take the example of a binary mul- 
tiplier which computes the product of two bit vectors A = {Ai,...,A„) and 
B = {Bi, . . . ,B„) using the following decomposition: 

n n 

A.B = A ^ Si.2'-i = A.Bi.2'-^ 
i=i i=i 

The circuit is mainly an iterated sum: 

n 

"5^ = 0" A Add{S'',A.2'-\S''+^)) A (-.5; ^ {S''+^ ^ S')) 

i=i 

where S' denotes the i*^ partial sum (hence S" denotes the final result) and 
Add{x, y, z) denotes any schema specifying a circuit which computes the sum z 
of X and y (for instance the previous Adder schema). We express "S^ = 0" by 
Ai=i --S';!, and M.2'-i" by the bit vector Sh' = {Sh\, Sft^J {Sh for Shift): 

' n \ / 2n \ / n 2n ^ 

/\Shf^AAAi/\^Shf\Ai/\ ^Sh\ A /\{Sh\+, ^ Sh^ 

This schema obviously contains nested iterations^. 

STAB does not terminate in general on such specifications. We introduce in 
this paper a new proof procedure, called dpll*, which is an extension of the 
DPLL procedure [12]. Extending DPLL to schemata is a complex task, because 
the formulae depend on an unbounded number of propositional variables (e.g. 
VjLi Pi "contains" Pi, ... , Pn). Furthermore, propagating the value given to an 
atom is not straightforward as in DPLL (in VILi P if the value of e.g. P2 is fixed 
then we must propagate the assignment to P, but only in the case where i = 2). 
The main advantage of DPLL* over STAB is that it can operate on subformulae oc- 
curring at a deep position in the schema (in contrast to stab, which only handles 
root formulae, by applying decomposition rules). This feature turns out to be 
essential for handling nested iterations. We prove that dpll* is sound, complete 
for satisfiability detection and terminates on a class of schemata, called regularly 
nested, which is obtained from regular schemata by removing the restriction on 
nested iterations. 

The paper is organized as follows. Section 2 defines the syntax and semantics 
of iterated schemata. Section 3 presents the DPLL* proof procedure. Section 4 
deals with the detection of cycles in proofs, which is the main tool allowing 
termination. Section 5 presents the class of regularly nested schemata, for which 
we show that DPLL* terminates. Termination is also proven for some simple 
derivatives of this class. Section 6 concludes the paper and briefiy presents related 
works. 



However it does not belong to the decidable class presented in Section 5. 
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2 Schemata of Prepositional Formulae 

Consider the usual signature E = {0,s,+,— } and a countable set of integer 
variables denoted by IV. Terms on S and XV are called linear expressions, whose 
set is written C£. As usual we simply write n for s"'(0) (n > 0) and n.e for e + 
• • • + e (n times) . Linear expressions are considered modulo the usual properties 
of the arithmetic symbols (e.g. s(0) + s(s(0)) — is assumed to be the same 
as s(s(s(0))) and written 3). Consider the structure C = {S; =, <, >) of linear 
arithmetic (i.e. same as Presburger arithmetic except that negative integers are 
also considered). The set of first-order formulae of £ is called the set of linear 
constraints (or in short constraints), written CC. As usual, if Ci,C2 G £C, we 
write Ci \= C2 iff C2 is a logical consequence of Ci . This relation is well known to 
be decidable using decision procedures for arithmetic without multiplication see 
e.g. [10]. It is also well known that linear arithmetic admits quantifier elimination. 
Prom now on, closed terms of S (i.e. integers) are denoted by n, m, i,j, k, I, linear 
expressions by e, /, constraints by C, Ci, C2, . . . and integer variables by n, i,j 
(we use this particular typesetting to clearly make the distinction with variables 
of the meta-language) . 

To make technical details simpler, and w.l.o.g., only schemata in negative 
normal form (n.n.f.) are considered. We say that a linear constraint encloses a 
variable i iff there exist ei, 62 € CS s.t. i does not occur in ei, 62 and C |= ei < 

i A i < 62. 

Definition 1 (Schemata). For every /c G IN, let Vk be a set of symbols. The 
set ^ of formula patterns (or, for short, patterns j is the smallest set s.t. 

- If k e JN , P e Vk and ei, . . . , Cfe G then Peu...,ek G ^ and ^Pei,...,ek ^ ^• 

- // TTi , 7r2 G ^ then tti V 7r2 G ^ and tti A 7r2 G Cp. 

- //tt G i G IV, C € jCC and C encloses i then tt G *P and Vi|c tt G 

A schema S is a pair (written as a conjunction) tt A C, where n is a, paitern 
and C is a constraint. C is called the constraint of S, written Cs- tt is called its 
pattern, written Us. 

The first three items define a language that differs from prepositional logic only 
in its atoms which we call indexed propositions (ei, . . . ,efc are called indices). 
The real novel part is the last item. Patterns of the form Ai|c^ "-"^ Viic"" 
called iterations. C is called the domain of the iteration. In [2] only domains of 
the form ei < i A i < 62 were handled, but as we shall see in Section 3, more 
general classes of constraints are required to define the DPLL* procedure. If C is 
unsatisfiable then the iteration is empty. Any occurrence of i in tt is bound by the 
iteration. A variable occurrence which is not bound is free. A variable which has 
free occurrences in a pattern is a parameter of the pattern. A pattern which is 
just an indexed proposition Pei,...,efc is called an atom. An atom or the negation 
of an atom is called a literal. 
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In [2] and [1] a schema was just a pattern, however constraints appear so 
often that it is more convenient to integrate them to the definition of schema. 
Informally, a pattern gives a "skeleton" with "holes" and the constraint specifies 
how the holes can be filled (this choice fits the abstract definition of schema in 
[11]). This new definition can bo emulated with the definition of [1] (as one can 
see from the upcoming semantics Vc ^ is equivalent to C). In the following we 
assume w.l.o.g. that Cs entails ni > A • ■ • A rife > where ni, . . . , are the 
parameters of lis- 

Example 1. 5 is a schema: 

5 = Pi A /\ (QiA V -PnVPj+i)An>l 

l<iAi<n l<j<n+lAi^j 

Pi, Q\, Pn and i^+i are indexed propositions. The only iterations of S are: 

\J -Pi V Pi+i 

l<j<n+lAi#j 

and 

/\ (QjA V -i^Vi^+i) 

l<iAi<n l<j<n+lAi7^j 

Their respective domains are l<j<n + lAi7^j and 1 < i < n. n is the only 
parameter of S. Finally: 

ns = PlA /\ (OiA V -PnVPj+l) 

l<iAi<n l<j<n+lAi7^j 

and Cs = n > 1. 

Schemata are denoted by 5, 5*1, 5*2 ... , parameters by n, ni, n2 . . . , bound vari- 
ables by i, j. Aj|c S and V\\c S denote generic iterations (i.e. \/i|c ^ Ai|c '^)' 
A and V denote generic binary connectives (i.e. V or A), finally A?^^^ S denotes 

Ai|ej<iAi<e2 ^■ 

Let S* be a schema and l^\^\Ci Si, . . . , A\j^\c'k be all the iterations occur- 
ring in S. Then Cs A C'l A ■ ■ ■ A C'k is called the constraint context of S, written 
Context(S'). Notice that Contcxt(S') loses the information on the binding po- 
sitions of variables. This can be annoying if a variable name is bound by two 
different iterations or if it is both bound and free in the schema. So we assume 
that all schemata are such that this situation does not hold^. 

Substitutions on integer variables map integer variables to linear arithmetic 
expressions. We write [ei/ii, . . . , Ck/h] for the substitution mapping ii, . . . , ife to 
ei, . . . , Bfc respectively. The application of a substitution a to an arithmetic ex- 
pression e, written ea, is defined as usual. Substitution application is naturally 

^ The proof system defined in Section 3 preserves this property, except for the rule 
Emptiness which duplicates an iteration; but we may safely assume that the vari- 
ables of one of the duplicated iterations are renamed so that the desired property is 
fulfilled. 



5 



extended to schemata (notice that bound variables are not replaced). A substi- 
tution is ground iff it maps integer variables to integers (i.e. ground arithmetic 
expressions). An environment p of a schema 5 is a ground substitution mapping 
all parameters of S and such that Csp is true. 

Definition 2 (Prepositional Realization). Let n be a pattern and p a ground 
substitution. The propositional formula |7r|p is defined as follows: 

_ \p \ 'M p |-,P I =^-,P 

K ei,...,efc Ip — eip,...,efcp; l^-* ei,...,efc |p — eip,...,efep; 

- |T|p = T, \L\p = _L, ItTi a ■K2\p = \-ni\p A \'K2\p, ItTi V ■K2\p = \'Kl\p V \-K2\p 

- 1 Viic^ip - V k[Vi]ipu[i/i] 

i^Z s.t. C[i/\]p is valid 

- I Aiic^^lp - A k[«/i]lpu[i/i] 

iGZ s.t. C[i/i]p is valid 

When p is an environment of a schema S, we define \S\p as \n.s\p- \S\p is called 
a propositional realization of S. 

Notice that T, _L, V, A, -> on the right-hand members of equations have their 
standard propositional meanings. V and /\ on the right-hand members are meta- 
operators denoting respectively the propositional formulae • • • v • • • V • • • and 
• • • A • • • A • • • or _L and T when the conditions are not verified. On the contrary 
all those symbols on the left-hand members are pattern connectives. 

We now make precise the semantics outlined in the introduction. Proposi- 
tional logic semantics are defined as usual. A propositional interpretation of a 
(propositional) formula is a function mapping every propositional variable of 
(/) to a truth value true or false. 

Definition 3 (Semantics). Let S be a schema. An interpretation I of the 
schemata language is the pair of an environment pi of S and a propositional 
interpretation Ip of \S\pj^. A schema S is true in I iff \S\p^ is true in Ip, in 
which case I is a model of S . S is satisfiable iff it has a model. 

Notice that an empty iteration Vi|c^ (resp. Ai|c''') always false (resp. true). 

Example 2. Consider the following schema: 

n 

S = Pi A /\(Pi ^ /^+i) A -P„+i A n > 

i=l 

(as usual, 52 is a shorthand for V 82). Then 

|5|„^o = -Pi A -Pi 

|5|„^i = Pi A (Pi ^ P2) A -P2 

|5|n^2 = Pi A (Pi ^ P2) A (P2 ^ P3) A -P3 

etc. 

S is clearly unsatisfiable. Notice that n i->- — is not an environment of S for 
any fc > 0. 
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The set of satisfiable schemata is recursively enumerable but not recursive [2]. 
Hence there cannot be a refutationally complete proof procedure for schemata. 
Notice that the semantics are different from the ones in [2] and [1] but easily 
seen to be equivalent. 

The next definitions will be useful in the definition of DPLL*. Let </> be a 
propositional formula and L a (propositional) literal. We say that L occurs posi- 
tively in (j), written L \Z (j), iS there is an occurrence of i in ^ which is not in the 
scope of a negation. As we consider formulae in n.n.f., a negative literal occurs 
positively in (/> iff it simply occurs in (j>. 

Definition 4. Let S be a schema and L a literal s.t. the parameters of L are 

parameters of S. 

We write L \Zo S iff for every environment p of S , \L\p C \S\p. 
We write L Co S iff there is an environment p of S s.t. \L\p c \S\p. 

Example 3. Consider S as in Example 2. We have Pi S, Pn+i S, P2 ^/la 
S. However P2 Co S and P2 (5* A n > 1). Finally Pq \to S and Pn+2 {Z^o S. 
Notice that -iPi Co 5 as 5i ^2 is a shorthand for V ^2. 

Suppose L has the form Pei,...,ek (resp. ^Pei,...,ek)- For ^ literal L' \z S of indices 
fii-'-ifki ^l{L') denotes the formula: 

3ii . . . i„(Cii A • • • A Ci„ A ei = /i A • • • A efc = /fc) 

where are all the bound variables of S occurring in /i,...,/fc and 

Cii,...,Ci„ are the domains of the iterations binding Then (j)L{S) 

denotes the following formula: 

\/{MPfu-,h) I Ph,-,h C S} (resp. \/{M^Pf,,...,h) I C S}) 

Proposition 1. L \Za S iff Vni, . . . , ni{Cs ^ 0l(S')) is valid, where ni . . . n; 
are all the parameters of S. L Co S iff 3ni, . . . , n;(Cs A ^l{S)) is valid. 

Proof. (Sketch) Let p be an environment of S. Assume that L has the form 
Pei....,ek (the case -'Pei,....efc IS similar). From Definition 2, it is easily seen (by 
induction on the number of nested iterations) that \L\p C \S\p iff there is a 
literal Pfi,...jk C S s.t. Lp = Pf^^,„j^{p\J [«i/ii, . . . , in/i„]) where ii,...,i„ are 
all the bound variables occurring in /i, . . . , fk and arc such that s.t. 

Ci(/9U[ii/ii, . . . ,i„/i„]), . . . , C„(pU[ii/ii, . . . ,i„/i„]) are valid. It is then obvious 
that |i|p C l^lp iff (^p is valid. The result follows easily. □ 

Example 4- Consider S as defined in Example 2. For any expression e, Pe Cn S 
(resp. Pe Co S) iff Vn(n > 0) ^ [e = 1 V 3i(l <iAi<nAe = i)V 3i(l < i A i < 
nAe = i + l)Ve=n + l] (resp. 3n3i(n >0)A(l<iAi<n)A(e=lVe=iVe = 
i + 1 V e = n + 1)) is valid. 

Then, by decidability of linear arithmetic, both Co and Co are decidable. Be- 
sides, it is easy to compute the set C{S) = {L \ L \Zn S} for a given schema 
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S: one just take any prepositional realization </> of /S, and check for every literal 
L \Z 4> a L [Zn S. li yes then it belongs to £{S) otherwise it does not. It is 
enough to do this with only one propositional realization as for any L e jC{S), 
we must have i C for every propositional realization 0. 

3 A Proof Procedure: dpll* 

We provide now a set of (sound) deduction rules (in the spirit of the Davis- 
Putnam-Logemann-Loveland procedure for propositional logic [12]) complete 
w.r.t. satisfiability (wc know that it is not possible to get refutational com- 
pleteness) . Compared to other proof procedures [2] dpll* allows to rewrite sub- 
formulae occurring at deep positions inside a schema — in particular occurring 
in the scope of iterated connectives: this is crucial to handle nested iterations. 

3.1 Extension Rules 

DPLL* is a tableaux-like procedure: rules are given to construct a tree whose 
root is the formula that one wants to refute. The formula is refuted iff all the 
branches arc contradictory. 

As usual with tableaux related methods, the aim of branching is to browse 
the possible interpretations of the schema. As a schema interpretation assigns 
a truth value to each atom and a number to each parameter, there are two 
branching rules: one for atoms, called Propositional splitting (this rule assigns 
a value to propositional variables, as the splitting rule in dpll), and one for 
parameters, called Constraint splitting. However Constraint splitting docs not 
give a value to the parameters, but rather restricts their values by refining the 
constraint of the schema (i.e. Cs), e.g. the parameter can be either greater or 
lower than a given integer, leading to two branches in the tableaux. Naturally, in 
order to analyze a schema, one has to investigate the contents of iterations. So a 
relevant constraint to use for the branching is the one that states the emptiness 
of some iteration. In the branch where the iteration is empty, wc can replace it 
by its neutral element (i.e. T for /\ and _L for \/), which is done by Constraint 
splitting (this may also entails the emptiness of some other iterations, and thus 
their replacement by their neutral elements too, this is handled by Algebraic 
simplification). Then in the branch where the iteration is not empty, we can 
unfold the iteration: this is done by the Unfolding rule. 

Iterations might occur in the scope of other iterations. Thus their domains 
might depend on variables bound by the outer iterations. Constraint splitting 
is of no help in this case, indeed it makes a branching only according to the 
values of the parameter: bound variables are out of its scope. Hence wc define 
the rule Emptiness that can make a "deep" branching, i.e. a branching not in 
the tree, but in the schema itself: it "separates" an iteration into two distinct 
ones, depending on the constraint stating the emptiness of the inner iteration, 
e-g- VILi Vi=3 -Fi A n > 2 is replaced by V"=3 Vi=3 P\ V Vf=i -L A n > 2. The reader 
can notice that Constraint splitting and Emptiness are very similar. It could be 
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possible to merge both into only one rule e.g. by considering infinite iterations 
but this would complicate all the formalism for only a little gain in the; proof 
system. Furthermore, Emptiness differs "conceptually" from Constraint splitting 
in the sense that its role is not to browse interpretations but only to analyse a 
formula. 

Constraint splitting strongly affects the application of Propositional splitting. 
Indeed Propositional splitting only applies on atoms occurring in every instance 
of the schema (which is formalized by Definition 4), and wc saw in Example 3 
that this depends on the constraint of the schema. Once an atom has been given 
the value true (resp. false) we can substitute it with T (resp. _L). However this is 
not as simple as in the propositional case as this atom may occur in a realization 
of the schema without occurring in the schema itself (e.g. Pi in AjLi Pi (*))> so 
we cannot just substitute T to it. The simplification is performed by the rule 
Expansion which wraps the indexed propositions that are more general than the 
considered atom (Pj in (*)) with an iteration whose domain is a disunification 
constraint stating that the proposition is distinct from the considered atom (this 
gives for (★): /\iLi Aj|i^iAj=o -^O- The introduced iteration is very specific because 
the bound variable always equals (actually this variable is not used and does 
not even occur in the wrapped proposition but we assign it to satisfy the 
condition in Definition 1 that it has to be enclosed by the domain) . Whereas usual 
iterations shall be considered as "for loops", this iteration shall be considered 
as an "if then else" . It all makes sense when Emptiness or Constraint splitting 
is applied: if the condition holds (i.e. if the wrapped indexed proposition differs 
from the atom) then the contents of the iteration hold (i.e. we keep the indexed 
proposition as is) else the iteration is empty (i.e. we replace it by its neutral 
element). In (★), Emptiness applies: 

A A A T 

i|l<i<nA3j(i#lAj=0)j|i#lAj=0 i|l<i<nAVj(i=lVj#0) 

(of course the domains can be simplified to allow reader-friendly presentation: 
Ai|2<i<n Aj|i^iAj=o Pi ^ Ai|_L T). Then Algebraic simplification gives: 

A ^ 

i|l<i<nA3j(i5^1Aj=0) 

i.e. AiL2 Pi' ^ expected. All this process may seem cumbersome, but it is actually 
a uniform and powerful way of propagating constraints about nested iterations 
along the schema. The alternative would be to consider different expansion rules 
depending on the fact that fi, ■ ■ ■ ,fk occur in an iteration or not, which would 
be rather tedious. 

Finally wc may know that an iteration is empty without knowing which vahic 
of the bound variable satisfies the domain constraint e.g. if a constraint, that we 
know not to be empty, contains e < i A / < i then how can we know which rank 
of e or / can indeed be reached? In such cases, the Interval splitting rule adds 
some constraints on the involved expressions to ensure this knowledge. 

We now define dpll* formally. 
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Definition 5 (Tableau). A tableau is a tree T s.t. each node a in T is labeled 
with a pair {S'r{oi),jCj-{oi)) containing a schema and a finite set of literals. 

If a is the root of the tree then £r(Q!) = and Sfioi) is called the root schema. 
The transitive closure of the child-parent relation is written For a set of 
literals £, /\^ denotes the pattern Aier 

As usual a tableau is generated from another tableau by applying extension 
rules written ^ (resp. q^q^ ) where P is the premise and C (rcsp. Ci,C2) the 
conclusion (s). Let a be a leaf of a tree T, if the label of a matches the premise 
then we can extend the tableau by adding to a a child (resp. two children) 
labeled with Ca (resp. Cicr and C2cr), where cr is the matching substitution. A 
leaf a is closed iff Iis-^(a) is equal to _L or Cs^(a) is unsatisfiable. 

When used in a premise, 5[7r] means that the schema tt occurs in S; then in 
a conclusion, S[Tr'] denotes S in which tt has been substituted with n'. 

Definition 6 (dpll* rules). The extension rules are: 

— Prepositional splitting. 



if either Pe^ S or -iPei,...,ej, Co S, and neither Pe^^,,,^ek /\c^^s 

nor ^Pei,...,e^: Co /\jc^Cs. 
- Constraint splitting. For {A,e) G {(/\, T), (V, -L)}.- 



^/C'sAVi^C is satisfiable and free variables of C other than i are parameters. 
— Rewriting: 



(5,£) 



(5,£UPe„...,eJ (5,£U-Pe„...,eJ 



(g[A,|c7r],£) 



(5[Ai|c tt] a 3iC, C) I {S[e] A Vi^C, £) 




-■T^_L ttAT^tt 7rA_L^_L 




-._L-J>T ttVT^T ttV-L^tt 




TT V TT — >■ TT 
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• Unfolding. For (A, A) e {(A, A), (V, V)}- 

A TT — >■ 7r[e/i] A A ir if Context(S'i) ^ C[e/\] is valid 

i\C i\CAi^e 

e can be chosen arbitrarili^ . 
. Emptiness. For {A, A) € {(A; A), (V; V)}; (V,£) e {(A; T), (V; 

A(7r[V7r'l)^ A (7r[ V tt']) A A (ttIs]) 

\\C i'|C" \\CA3VC" i'lC ilCAVi'^C 

i/ Contcxt(5i) A Vi'-iC" is satisfiable and i occurs free in C . 

• Expansion. 

^ei,...,e. ^ A ^ei,...,e, if Pf,,...J, G jC 

i|(ei5^/iV---Vefc#/fc)Ai=0 

-Pei^.-.e, ^ V -Pei,...,e. if ^Pf,,...J, & C 

i|(ei5^/iV---Veji7iA)Ai=0 

«/ Context A ei = fiA- ■ ■ Aek = fk is satisfiable. i «s afresh variable. 
Interval splitting. For fc, Z G IN, A G {A, V}; <3 ^ {<, <, >, >}.• 

(SfAiicAfc.KeiTr] AZ.ei< A;.e2,£) | (5[Ai|CAi.i<ie2 "^1 A /.ei^A;.e2, £) 

every /ree variable of C is either i or a parameter, all variables 0/ 61,62 
are parameters and k > 0, I > 0. 



3.2 Looping Detection 

The above extension rules do not terminate in general, but this is not surprising 
as the satisfiability problem is undecidable [2] . Non-termination eomes from the 
fact that iterations can be infinitely unfolded (consider e.g. \/[Li -Pi A ^P\), thus 
leading to infinitely many new schemata. However it is often the case that newly 
obtained schemata have already been seen (up to some relation that remains 
to be defined) i.e. the procedure is looping (e.g. ViLi Pi A -iPi will generate 
VilTi Pi A ^P\, then Vi^=i P' A then . . . which are all equal up to a shift of 
n). This is actually an algorithmic interpretation of a proof by mathematical 
induction. We now define precisely the notion of looping. 
We start with a very general definition: 

Definition 7 (Looping). Let 81,82 be two schemata having the same param- 
eters ni, . . . , Pfc, we say that Si loops on 82 iff for every model I of 81 there is 
a model J of 82 s.t. pj(y\j) < Px{f^j) for some j G l..k and Pj{ni) < Pi{rii) for 
every I ^ j. The induced relation among schemata is called the looping relation. 



e.g. in Section 5.2 we choose the maximal integer fulfilling the desired property. 
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Looping is undecidable (e.g. if 5*2 = -L then loops on 5*2 iff Si is unsatisfiable). 
It is trivially transitive. An advantage of Definition 7 is that, contrarily to the 
definitions found in [2, 1], it is independent of the considered proof procedure. 
However we still have to make precise the link with DPLL*: 

Definition 8. Let a,j3 be nodes in a tableau T. SCf{a) denotes the schema 
Sfioi) A A£T-(a)- ^^6*^ loops on a iff SCf{j3) loops on SC-r{a). 

Following the terminology of [6] , /3 is called a bud node and a its companion node. 
The Looping rule closes a leaf that loops on some existing node of the tableau. 
From now on, DPLL* denotes the extension rules, plus the Looping rule. 

An example of a tableau generated by dpll* can be found in Appendix A. 

3.3 Soundness and Completeness 

Definition 9. Let I be an interpretation and a a leaf of a tableau T . We write 
I \=j- a iff I \= SCx{oi) (or simply I \= a when T is obvious from the context). 
We write I \= T iff there exists a leaf a in T s.t. I \= a. The definitions of 
model and satisfiability naturally extend. 

Lemma 1. Let T, T' be tableaux s.t. T' is obtained by applying an extension 
rule (i.e. any rule except the Looping rule) on a leaf a of T . LetT be an inter- 
pretation. I ^ a iff there exists a child j3 of a in T' s.t.I\= j3. 

Proof. For Propositional splitting there are two branches /3i, /32. If I ^ a then 
either Jp \= |Pei,...,eJpx or 2p \= h-Pei,...,eJpi, and consequently either I |= A 
01 1 \= (}2- Conversely it is easily seen that if we have X |= /3i or I |= /32 then 

Similarly we write ^i, /32 for the two branches of Constraint splitting. By 
completeness of linear arithmetic, either \^ 3\{Cpi) or \= Vi-i(C/9i) for any 
interpretation I (notice that by the application condition of the rule, all variables 
occurring in C are parameters, thus i is the only free variable of Cpi). Suppose 
I ^ a, then in the first case T ^ in the second case the iteration is empty 
so I t= (^2- Conversely \i T \= (ix then it is trivial that X \= a and ii I \= (32 
then 1= Vi-i(Cpx) and thus | A\\c Mpi = ^ (following the notations of Constraint 
splitting), so 2 ^ a. 

We do not detail all the rewrite rules, which have only one conclusion. 
Suppose P is obtained from a by rewriting a schema Si into ^2. Let I be a 
model of a or /3 (whether one proves the "only if" or the "if" implication of 
the lemma). It is easily proved (using the side conditions of each rewrite) that 
2p(|S'i|p2-) = ^p(|5'2|px)) for any I the propositional realizations under px 
of 5*1 and 52 have the same value w.r.t. Tp. Actually we even have that for all 
rules except Expansion, and for every environment p Si, \Si\p and \S2\p are 
equivalent. 

Consider Interval splitting. Suppose we have I |= a then cither {l.ei<\k.e2)pi 
or (Lei •^k-e-2)pi is valid (by completeness of linear arithmetic). Furthermore, it 
is easily seen that for every i, l.ei < k.e2 and k.\ < ei entail l.\ < €2 (as k,l > 0; one 
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has to carefully make the distinction between the cases ei = and ei 7^ 0), and 
l.ei ^fc.e2 and l.\ < 62 entail fc.i < ei. Consequently, in both cases removing the 
entailed constraint does not affect the propositional realization of the iteration, 
and thus 2 \= (3i or I \= /32- Now suppose I |= Then {l.ei < k.e2)pi is 
valid. Thus we have in the exact same way: Vi(fc.i < ei Li <l ei)pi. And thus 
{k.\ < ei)pi is equivalent to (fc.i < ei A l.\ < ei)px- Sol \= a. The case X |= /32 is 
similar. □ 

A leaf is irreducible iff no rule of DPLL* applies to it. 

Lemma 2. // a leaf a in T is irreducible and not closed then T is satisfiable. 

Proof. We first show that S-r{a) does not contain iterations. If there are itera- 
tions then there are iterations which are not contained into any other iteration. 
Let AjjpTT be such an iteration. A.-^^c'^ cannot be empty by irrcducibility of 
Constraint splitting and Emptiness. So by irrcducibility of Interval splitting and 
elimination of quantifiers in linear arithmetic, C can be restricted to a non-empty 
disjunction of inequalities ei < i A i < 62. Thus C[ei/i] is valid and Unfolding 
can apply which is impossible. Hence there cannot be any iteration which is 
not contained into any other iteration, thus there cannot be any iteration at 
all. So S--r{a) is constructed only with A, V, and indexed propositions. Hence 
it is easily seen that any literal L s.t. L C S'r{a) satisfies L Sr{a). Thus 
either L G C-fict) or L'^ G C-fioi) by irrcducibility of Propositional splitting. As 
a consequence if there existed such a literal. Expansion and then Algebraic sim- 
plification would have applied, turning every occurrence of L into _L or T. Hence 
Sr{oi) does not contain any literal, and by irrcducibility of Algebraic simplifi- 
cation S-t{c() is cither _L, impossible as the branch is not closed, or T, which is 
satisfiable. Finally C cannot contain two contradictory literals, because the ap- 
plication conditions of Propositional splitting ensure that L is added to (^^-{a) 
only if neither L Co Kcria) ^C^Sria) nor L" Co Acria) ^C'sr(a)- We conclude 
with Lemma 1 that the initial tableau is satisfiable. □ 

Theorem 1 (Soundness). Let T be a tableau. If a tableau T' is obtained from 
T by application of the extension rules, and if T' contains an irreducible and 
not closed leaf then T is satisfiable. 

Proof. This follows immediately from Lemmata 1 and 2. □ 

We now prove that the procedure is complete w.r.t. satisfiability i.e. that if S 
has a model then every sequence of tableaux constructed from S (in a fair way) 
eventually contains an irreducible and not closed branch. To do this we assume 
the existence of a model, then we define a well-founded measure w.r.t. this model 
and we show that it strictly decreases at each rule application (Lemma 3). Thus 
there will be a leaf s.t. this measure is minimal, so no rule can apply on it. We 
then use Lemma 1 to show that this leaf cannot be closed. This is formalized in 
the proof of Theorem 2. 

Intuitively, we take a model I and apply DPLL* by focusing only on the 
branch for which I is a model (by Lemma 1, there always exists such a branch). 
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Then, in this branch, all iterations will progressively be unfolded. This process 
will stop because the iteration has a fixed length in X. Concretely, the iterations 
will be unfolded rank by rank until it only remains an empty iteration which will 
then be removed either by Constraint splitting or Emptiness. Once this is done 
for all iterations, what remains is the prepositional realization of the original 
schema w.r.t. px (except that in the meantime, some literals may have been 
evaluated, leading to some possible simplifications). So we have a propositional 
formula and Algebraic simplification applies until we obtain T, i.e. a node which 
is irreducible and not closed. 

As the reader will see, the presented measure is not trivial (in particular m|). 
We first outline the encountered problems that justify such a definition. From 
the explanations of the previous §, the measure must be greater when the schema 
contains an iteration (and the longer the iteration is, the greater shall be the mea- 
sure;) . For instance such a measure would be strictly Iowc;r after an application of 
Unfolding. Emptiness divides an iteration into two iterations such that the sum 
of their lengths is equal to the length of the original iteration, thus the measure 
remains the same. This is easily circumvented, e.g. by squaring the length of 
iterations. A bigger problem occurs with Expansion which adds iterations where 
there was no iteration before. A natural solution is to define another measure 
that decreases on Expansion, e.g. the number of possible applications of the rule. 
Then we give this measure a higher priority (via a lexicographic ordering) . But 
this does not work because Unfolding duplicates the pattern tt (following the 
notations of the rule) and can thus increase the mimbcr of possible applications 
of Expansion. Similar problems are encountered with Emptiness: this rule also 
makes a kind of unfolding but, following the notations of the rule, C A 3\'C' can 
be unsatisfiable. In such a case, it means that the unfolding is fake, it just allows 
us to introduce the information Vi'-iC" in the rightmost iteration. So in this case 
we have just introduced a new iteration, without even decomposing the original 
one. Once again we could define another measure, e.g. the number of possible 
applications of Emptiness, but this is increased by Unfolding. 

We now present formally our solution which requires the two following "aux- 
iliary" functions: 

H{x,0) = {x + 2f 1/(0) = 1 

fj,{x, k + l) = {n{x, k)+x + 2)^ v{k + 1) = n{v{k),Q) + 1 

The following results are easily proved (most of them by induction). They sum up 
all the properties of u and fi that are useful to prove that the measure decreases. 

Proposition 2. 

1. Vx,fc G IN, ii{x,k) > 4 

2. Vx, fc e IN, nix, k)>x 

3. yx,y,k G'SSi, X < y ^ ii{x, k) < ii{y, k) 

4. Vfci,fc2 e IN, fci < ^2 ^ i^iki) < v{k2) 

5. Vx, y, /c G IN s.t. y >1, nix, k) + y < nix + y, k) 

6. Mx, y,k gJN, ij,{x, k) + fj,{y, k) < ii{x + y,k + l) 
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7. VfcelN, u{k + l) >^(i^(fc),0) 



We can now define the measure. Let I be an interpretation and a a node of a 
tableau T. We set mx{a,T) = {mj{a),rnj{a),'mj{S'ria)),rn'^{a),'m^{a)) or- 
dered using the lexicographic extension of the usual ordering on natural numbers, 
where ni^{a), m|;(a), mj^{S-ria)), m,'^{a), m^{a)) are defined as follows: 

1. For a parameter n of ^^(q'), rrij ^(a) /Oi(n). m\{a) is defined as the 
multiset extension of rrij to all parameters of Si{a). 

2. m\{a) is the number of atoms (different from _L, T) that occur in \S'r{a)\px 
but not in I A£r(«) \p^- 

3. mj(S'7-(a)) is defined by induction on the structure of 115^(0,): 

-mi(T)'i^mi(±)^=*'l 

- m|(-i7r) = m|(7r) + 1. 

- m\{-K\ A 7r2) = TO|(7ri) + m%{-K2) 

— m2;(A;|(^7r) ^(X^ieE '^il'^'IV'])! '^'it) where i? is the set {i E Z \ 
Cpx[i/\] is valid} {E is finite since C encloses i) and nu is the num- 
ber of iterations Vi'|c/7r' occurring in tt s.t. Emptiness can apply on 
^i|C''''[Vi'|c' Ti"'] (with the notations of Em,pt,iness) . 

— m^{Pei^...^ek) = ^('^j) where n; is the number of literals -P/i,...,/^ S >C7-(a) 
s.t. Expansion applies on -Pei,...,efc • 

4. m^(a) is the number of possible applications of Interval splitting on a. 

5. m^(a) is the number of iterations Aii^Tr of <S'7-(q:) s.t. Cs^(a) A Vi-iC is 
satisfiable. 

An extended child of a node a is a child of a if a is not a bud node, or the 
companion node; of q: otherwise. For extended children we have the following 
weaker version of Lemma 1 : 

Proposition 3. Let T, T' be tableaux s.t. T' is obtained by applying any rule of 
DPLL* on a leaf a of T- If a is satisfiable then there exists a satisfiable extended 
child of a inT' . 

Proof. Indeed if a is a bud node then it follows from Definitions 7 and 8, other- 
wise it follows from Lemma 1. □ 

Let I be a model of a and /? a satisfiable extended child of a, I" is defined as 
follows: if a is a bud node then there is J s.t. J7(n) < I(n) for some parameter 
n and J \= l3. We set Xg = J. If a is not a bud node then Xg = I. We can now 
prove the main lemma, which states that the measure strictly decreases when 
applying a rule. 

Lemma 3. Let T, T' he tableaux s.t. T' is deduced from T by applying a rule 
on a leaf ex. If there is a model I of a then for every satisfiable extended child j3 
of a in T' we have mx|(/5,T') < mx{cx,T). 

Proof. By inspection of the extension rules: 
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Rule 




TO|(a) 


m|(5r(a)) 




Propositional splitting 


< 


< 






Constraint splitting 


< 


< 


< 


< < 


Algebraic simplification 


< 


< 


< 




Unfolding 


< 


< 


< 




Emptiness 


< 


< 


< 




Expansion 


< 


< 


< 




Interval splitting 


< 


< 


< 


< 


Looping 


< 









< (resp. <) means that the corresponding measure does not increase (resp. 

strictly decreases) by apphcation of the rule. 

— For mj(a), Looping strictly decreases by Definition 7. In all other cases, 
Ig = I so all parameters have the same values, thus m\{a) is constant. 

— When ProposifionaZ splitting applies, either Pei,...,ei. or -iPei,...,efc Cn S 
(following the notations of Propositional splitting), so either \Pe^ eApi C 
\Sr{a)\ 

PI H-Pei .....Efc Ipi C |S'7-(a) Ipj. . Hence either Pei,...,efc 

or -'Pei,...,efc is 

added to Cx{oi), thus m\{a) strictly decreases. It is obvious that other rules 
(except Looping) cannot increase the number of atoms in |S'7-(Q!)|p2; (even 
rules that duplicate a pattern, namely Unfolding or Emptiness: indeed the 
number of atoms is increased in the schema but its propositional realization 
remains the same, see the proof of Lemma 1) thus they cannot increase 
m'^{a). Looping has already been shown to be decreasing so we do not mind 
that this rule possibly increases due to the lexicographic ordering. The same 
argument allows us to omit the Propositional splitting rule in the following, 
and similarly for the each subsequent measure. 

— We detail the case of m^{Sx{a)), rule by rule (the notations used here — 
Hi, Hit, E — are the same as in the definition of m\): 

1. Constraint splitting: the pattern does not change but one must take care 
that Context(/S'r(a)) does change, so n; and nu may increase. However 
Constraint splitting only strengthens the context and so cannot increase 
those numbers. 

2. Algebraic simplification: obvious by inspection of all rules. The two first 
items of Proposition 2 enable to conclude for rules involving an iteration. 

3. Unfolding: the result follows from the fifth item of Proposition 2 (tak- 
ing y = m^{-K[e/\\); m^{iT) > 1 for every pattern tt so indeed y > 1). 
Similarly to Constraint splitting, m and Uit cannot increase. 

4. For Emptiness , the result follows from the sixth item of Proposition 2: it 
is easily seen that strictly decreases from the application conditions of 
Emptiness and because those conditions are not satisfied anymore after 
the rewrite, /i and have been precisely defined to handle this rule. 

5. For Expansion, the result follows from the seventh item of Proposition 
2: it is obvious that n; strictly decreases during the rewrite, v and ni 
have been precisely defined to handle this rule. 

6. Interval splitting only changes the domain of an iteration. With a similar 
reasoning as in Lemma 1, one easily gets that in both branches the set 
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E remains the same. Furthermore, similarly to the Constraint splitting 
case, Hi and nu cannot increase. 
— The last two measures follow the conditions of the corresponding decreasing 
rules, easily entailing their corresponding behaviors. It is obvious that Con- 
straint splitting cannot increase m^(a). □ 

A derivation is a (possibly infinite) sequence of tableaux {Ti)i^i s.t. I is either 
[0..k] for some fc > 0, or IN and s.t. for all i > 0, 71 is obtained from 7I-i by 
applying one of the rules. A derivation is fair iff either there is i G / s.t. % 
contains an irreducible, not closed, leaf or if for alH G 7 and every leaf a in 71 
there is j > i s.t. a rule is applied on a in Tj (i.e. no leaf can be indefinitely 
"frcczcd" ) . 

Theorem 2 (Model Completeness). LetTo be a satisfiable tableau. If{Ti)iei 
is a fair derivation then there are k G I and a leaf ak in Tk s.t. ak is irreducible 
and not closed. 

Proof. By Lemma 1. for every model T of 7o and for all k € I, Tk contains a 
leaf ak s.t. X \= ak. Consider such I, fc, ak s.t. mx{ak,Tk) is minimal (exist since 
ini{ak,Tk) is well-founded). By Lemma 1, ak is not closed. Suppose that ak 
is not irreducible. Then, since the derivation is fair, there ]s I > k s.t. a rule 
is applied on ak in the tableau Ti. By Proposition 3 there exists a satisfiable 
extended child (3 of ak in Ti and mx^{l3,Ti) < mx{ak,Tk) by Lemma 3. This is 
impossible by minimality of mx{ak,Tk). Hence ak is irreducible. □ 

4 Looping Refinements 

The notion of loop introduced in Definition 8 is undecidable, thus, in practice, 
we use decidable refinements of looping. 

Definition 10. A binary relation between schemata is a looping refinement iff 

it is a subset of the looping relation. 

Termination proofs work by showing that the set of schemata which are gener- 
ated by the procedure is finite up to some (decidable) looping refinement. We 
make precise this notion: 

Definition 11. LetS be a set of schemata and\> a looping refinement. A schema 
[S\ G S is a >- maximal companion (or just maximal companion when > is 
obvious from the context) w.r.t. S iff there is no S' G S s.t. [S] > S' . The set of 
all ^-maximal companions w.r.t. S is written S/>. If S/> is finite then we say 
that S is finite up to >. 

Notice that we use the notations [S] and S/> as if we were talking of an equiv- 
alence class and a quotient set but t> is generally not an equivalence. However 
the underlying intuition is often very close and we think that using this notation 
makes it easier to understand the proofs, as soon as the reader is clearly aware 
that this is not an equivalence relation. 



17 



4.1 Equality up to a Shift 



We now present perhaps the simplest refinement of looping. A shiftable is a 
schema, a linear constraint, a pattern, a linear expression or a tuple of those. 
The refinement is defined on shiftables (and not only on schemata) in order to 
handle those objects in a uniform way. This is useful in the termination proof of 
Section 5. 

Definition 12. Let s, s' be shiftables and n a variable. If s' = s[n — k/n] for 
some k > 0, then s' is equal to s up to a shift of k on n, written s' =t" s (or 

s' ^1 s when we want to make k explicit). 

Notice that we use a syntactical equality e.g. we do not care about associativity or 
commutativity of A and V when the shiftables are schemata, nor do we use linear 

constraint equivalence when the shiftables arc linear constraints. This makes this 
refinement less powerful but trivial to implement and easier to reason with. 

Proposition 4. Let n be a variable, the restriction of to schemata having n 
as a parameter is a looping refinement. 

Proof. Let 5*1, 5*2 be schemata s.t. ^1 S2 for some fc > 0. Let I be a model of 
Si. We define J s.t. pj{n) = px{n) — k, pj{m) = pi(m) for m 7^ n and Jp = Xp. 
It is obvious that \Si\p^ = \S2\pj and as Jp = Xp, J \= S2. It is also obvious 
that pj'(n) < pi{n). □ 

Proposition 5. For all shiftables s, Si, S2, if si s and S2 s then either 
si S2 or S2 si or si = .S2- 

Finally is transitive but neither reflexive (e.g. Pn), nor irreflexive (e.g. 

Pi -Pi). It is irreflexive for shiftables containing n, and reflexive for shiftables 
not containing n (in which case equality up to a shift just amounts to equality). 

Definition 13. A set of shiftables S s.t. all its different elements are comparable 
w.r.t. is called a looping chain . We extend the notion of maximal companion 
to shiftables: a shiftable s is a maximal companion w.r.t. a set of shiftables S iff 
there is no s' E S s.t. s s' . If a looping chain S contains a shiftable s which 
is a maximal companion w.r.t. S then S is a well-founded chain. 

From the previous remarks a looping chain has the form: • • • Si-i Si 
Sj+i • • • , hence justifying the name "looping chain". Then, by considering 
all its totally comparable subsets, any set of schemata can be seen as a union 
of looping chains. A well-founded chain has the form • • • 82 Si SO) 
where sq is a max;imal companion w.r.t. the chain. 

Wc focus now on sets which arc finite up to equality up to a shift, in short 
"^"-finite" (i.e. sets which are finite unions of well-founded chains): termination 
proofs go by showing that the set of all schemata possibly generated by dpll* 
is =^"-finitc, thus ensuring that the Looping rule will eventually apply. To prove 
such results we need to reason by induction on the structure of a schema. To 
do this properly we need closure properties for ^"-finite sets i.e. if we know 
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that two sets are =^"-finite, we would like to be able to combine them and 
preserve the =^"-finitc property. This is gcncirally not possible, e.g. for two =t"- 
finite sets of shiftables >Si and ^2, the set Si x ^2 (remember that shiftables 
are closed by tuple construction) is generally not =t"-finite. For instance take 
Si = {Pn, /'n-i, , . . . } (5i is =|"-finite with 5i/=4" = {Pn}) and ^2 = {Pp} 
(which is finite and thus =^"-finite). Then {(Pn, Pn), (Pn_i, Pn), (Pn-2, Pn), • • • } 
is not ^"-finite: indeed for every z e IN, (Pn_j,Pn) is a maximal companion 
in Si X S2, there is thus an infinite set of maximal companions. Consequently 
iSi X <S2 is not ^"-finite. This example also shows that =^"-finite sets are not 
even closed by cartesian product with a finite set. Hence we have to restrict our 
closure operators. 

Definition 14. Let n be a variable. A shiftable s is translated w.r.t. n iff for 
every linear expression e occurring in s and containing n there is k € Z s.t. 
e= n + k (i.e. neither k.n nor n + i are allowed, where k € Z, k and i € IV). 
Assume that s is translated w.r.t. n. The deviation ofs w.r.t. n, written 6{s), 

is defined as S{s) = maxjfci — fc2 | fci, ^2 € Z, n + fci, n + A:2 occur in s}. S{s) = 
if s does not contain n. Let k G IN, we write *Bfe for the set {s \ 6{s) < k}. 

Theorem 3. Let Si and S2 be two sets of shiftables translated w.r.t. a variable 
rt. If Si and S2 are ^"-finite then, for any fc e IN, the set iSi x fl 03 /j, written 
<5i Xfc <S2, ^5 ^"-finite. 

One can notice that, in the counter-example given before Definition 14, the 
deviations of schemata in <Si x S2 are unbounded. 

Proof. We construct a bijective function / : 5i/=^" x ^2/^" x [—k..k] 
Si Xfe52/=t": as Si/^", 52/=4" and [-k..k] are finite, <Si XfeiS2/=t" is finite, 
hence the result. Informally / associates to each pair of maximal companions 
a maximal companion in iSi Xk S2, however there are as many new maximal 
companions as there are possible deviations (actually twice as many) , hence the 
dependency on [—k..k]. Let [si] e Si/^", [32] S S2/^" and d G [—k..k], we now 
construct /([si], [s2],d). 

First of all if [si] or [52] does not contain n then /([si], [s2],d) = ([si], [52]) 
independently of d. Then for any pair (si,S2) G <Si Xfc <S2 s.t. si or S2 does 
not contain n, it is easily seen that (si,.S2) ([si], [^2]) (wc let the reader 
observe that this would not necessarily be the case if both si and S2 contained 
n). Furthermore ([si], [S2]) is a maximal companion. Indeed suppose that there 
is another {s[,S2) s.t. ([si], [52]) (5^,52) then necessarily [si] =t" s'l which 
contradicts the fact that [si] is a maximal companion w.r.t. iSi. 

So from now on we assume that both [si] and [52] contain n. Hence every 
shiftable s s.t. s =f" si or s S2 also contains n. As a consequence, for every 
shiftable s, max(s) = max{A; gZ \ n + k occurs in s} is well-defined. 

We first prove that {(si,S2) | si [si],S2 [s2],inax(si) — max(s2) = 
d} is a looping chain. Thus we prove that for all si,s'^ G Si and 82,82 G 52 
s.t. Si [si], s[ [si], 82 [82], 82 [82], max(si) - max(s2) = d 
and max(s'i) — max(s2) = d there is A; > s.t. either (si, §2) ^fe (^15*2) or 
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(si, S2) (s'l) •S2) (■51: ■S2) — {si,s'2). By Proposition 5 we have either si 
s[, s[ ^1 Si or si = s'j for some fc > and either S2 ^IJ/ S2, s'2 S2 or 
S2 = s'2 for some fc' > 0. Suppose s'^ =^J! si then max(si) — max(s'i) = k. 
Prom max(si) — max(s2) = d and ma.x{s[) — max(s2) = d it easily follows that 
max(s2) — max(s2) = fc. As fc > 0, this entails that we cannot have S2 =t" S2 or 
S2 = Hence the only possibility is s'2 S2, and more precisely s'2 S2 with 
k' = fc. As a consequence (s'i,S2) ^1 (■Si)S2). The case Si s'^ is symmetric, 
and the case si = s'l easily entails S2 = s'2 by taking fc = in the previous 
equations. 

Then we prove that it is a well-founded chain. Notice that if (si,S2) =4" 
(s'l, then si =4" s'^. So if a looping chain ■ • • (si"\ s^"^) (4:4) ^" 
(s^^^^, Sj"*"^) ••• does not contain a maximal companion then one of the 
looping chains ■ ■ ■ s\~^ s\ s\+^ z4" ■ ■ ■ ov ■ ■ ■ s^'^ s'2 =4" 
S2'^^ • • • does not contain a maximal companion, either. By hypothesis this 
is false in our case. As a consequence there is indeed a maximal companion 
for the looping chain {(si,S2) | si [si],S2 [s2],max(si) — max(s2) = 
d}, wc set /([si], [s2],(i) to be this maximal companion. It is now trivial that 
{Si Xfc 52)/=^" = /[5i/=r" X S2/=t" X [-fc..fc]]: for any pair (si,S2) G Si XkS2, 
(si,S2) =4" /([si], [s2],max(si) - max(s2)) and /([si], [S2], max(si) - max(s2)) 
is a maximal companion w.r.t. Si Xfc <S2. Notice that | max(si) — max(s2)| < k 
because (si,S2) £ 55^. □ 

As trivial corollaries we get (where all the involved shiftables are translated w.r.t. 
n): 

- {S'l AS2 \ Si € Si,S2 € S2} n Sfe, where A G {A, V}, is =^"-finite when Si 
and S2 are ^"-finite. 

- {(Ai|c ns) ACs \S €S,C G C}n«Bfe is =^"-finite when S and C are =^"-finite 

- {ei =62 I ei G £1,62 G £2} n *Bfe is ^"-finite when £1 and £2 are sets 
of linear expressions, ^"-finite (this corollary will be useful in the proof of 
Lemma 8, which explains why equality up to a shift is defined on shiftables 
and not only on schemata). 

4.2 Refinement Extensions 

Equality up to a shift is generally not powerful enough to detect cycles, so we now 
define simple extensions that allow better detection. Consider for example the 
schema S defined in Example 2. Using dpll* there is a branch which contains: 
S' = Pi A /\"~i{Pi =^ Pi+i) A ^Pn A -.Pn+i An>OAn-l>0. 6" loops on S but 
5" is not equal to S up to a shift. However -iPp+i is pure in S' (i.e. Pn+i [t S') 
so -iPn+i may be evaluated to true. Therefore we obtain PiA/\"~-^ {Pi ^ Pi+i)A 
-.Pn A n > A n - 1 > 0, i.e. ^[n - 1/n] A n > 0. But n - 1 > entails n > so 
we can remove n > and finally get ^[n — 1/n]. 

We now generalise this example, thereby introducing two new looping refine- 
ments: the pure literal extension and the redundant constraint extension (both 
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of them actually take an existing looping refinement and extend it into a more 
powerful one, hence the name "extension"). We could have defined them as rules 
rather than looping refinements, however this way the results can be useful not 
only to DPLL* but also to any other system working with iterated schemata e.g. 
they are applicable without any modification to the system STAB defined in [2]. 

Pure Literals. As usual a literal L is (propositionally) pure in a formula 4> iff 
its complement does not occur positively in <p. The pure literal rule is standard 
in prepositional theorem proving: it consists in evaluating a literal L to true 
in a formula if L is pure in (p. It is well-known that this operation preserves 
satisfiability but it is now often omitted as looking for occurrences of a literal 
generally costs more than the benefits of its removal. In our case, however, 
dropping this optimization frequently results in non termination. 

The notion of pure literal has to be adapted to schemata. The conditions on 
L must be strengthened in order to take iterations into account. For instance, if 
L = P„ and S = Vf=i "'-Pi then L is not pure in S since -^P\ is the complement 
of i for i = n (and 1 < n < 2n). On the other hand P2n+i is pure in S (since 
2n + 1 ^ [1..2n]). It is actually easy to see that Co is the right tool to formalize 
this notion. 

Definition 15. A literal L is pure in a schema S iff for every environment p 

of S, \L\p is propositionally pure in \S\p. 

It is easily seen that L is pure in 5 iff L'^ [Z^o S, thus by decidability of tlo, it is 
decidable to determine if a literal is pure or not. 

The substitution of an indexed proposition Pei,....efc by a pattern n' in a 
pattern tt, written 7r[7r'/Pei,...,efc]i is defined as follows: 

Pe„...,e.[7r7Pe„...,eJ=7r' 

Q/i,-,/fcK/Pei,...,eJ = Qh,...,h li P ^ Q or fi ^ Ci for some i e [l..k] 

(TTi A7r2)[7r7Pe,,...,eJ = Tr,[Tr' / P,,,...,,,] A 7T2W / P,,_,,] (A e {V, A}) 

(A 7r)[7r7Pe„...,eJ ^=7A7r[7r7Pe„...,eJ (A e {V, A}) 

1 1 1 10 

Notice that this is a trivial syntactic substitution, e.g. (^Pi A V[Li Pi)[T/Pi] = 
-iT A ViLi Pi iiot -iT A (T V ViL2 P')- Actually the latter would be a mistake 
because we do not know whether n > 1 or not. The definition naturally extends 
to a schema S with 5'[7r7Pei,....efe] == n5[7r7Pei,....efc]- 

Proposition 6. Let L be a literal pure in a schema S. If S has a model I then 
S[T/L] has a model J s.t. px{n) = pj{n) for every parameter n of S. 

Conversely if S[T/L] has a model I then S has a model J s.t. pi{n) = pj{rt) 

for every parameter n of S . 

Proof. Let I he a, model of S. \S\p^ is thus satisfiable. As L is pure in S, 
\L\p^ is pure in \S\pj. (and thus in |S'[T/i]|p2.). So by the classical result that 
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the satisfiability of a prepositional formula is preserved when removing a pure 
literal, \S\p^[-y /\L\p^] is satisfiable. As \S\p^[T /\L\p^] = |-S[T/L]|p^[T/|L|p^], 
|S'[T/X]|p2. is also satisfiable. We define Jp as one of its models and pj as p%. J 
is obviously a model of S'[T/L] and indeed pi(n) = pj(n) for every parameter n 
of S. The proof of the converse is symmetric. □ 

A schema S in which all pure literals have been substituted with T is written 

purified(S'). 

Definition 16. Let > be a looping refinement. We call the pure extension of t> 
the relation >': Si >' S2 purified(S'i) t> purified (52). 

Proposition 7. The pure extension of a looping refinement is a looping refine- 
ment. 

Proof. Consider 81,82 s.t. 81 >' 5*2, i.e. purificd(S'i) > purified (5*2). Let X be 
a model of 81. By Proposition 6, there exists a model I' of purified(S'i) s.t. 
pi'{r\) = pi(n) for every parameter n of 5i. Then, as > is a looping refinement 
and by Definition 7, there is a model J'' of purificd(S'2) s.t. pj'{r\) < pi'(n) 
for some parameter n of purified(S'i) (and thus of ^i) and pj'{n) < px'{n) for 
other parameters of Si. Then by Proposition 6, there exists a model J of 52 
s.t. pj'{n) = Pji'n) for every parameter n of 82- From a model I of ^i, we 
constructed a model J of 82 s.t. pj{r\) < px{r\) for some parameter n of and 
Pj'(n) < Pi(n) for other parameters, i.e. we proved that Si loops on ^2. □ 

Redundant Constraints. This extension is justified by the fact that DPLL* 
often leads to constraints of the form n > 0, then n > OAn — 1 > 0, then 
n>OAn — l>OAn — 2>0, etc. Such constraints contain redundant information, 
which can be an obstacle to the detection of cycles in a proof. 

Definition 17. Any norm,al form, of a schema 8 by the following rewrite rules: 

Ci A • • • A Cfe ^ Ci A • • • A Ck-i if {Ci, . . . , Ck-i} h Cu 

C — >■ _L if C is unsatisfiable 

is called a constraint- irreducible schema of 8 . 

By decidability of satisfiability in linear arithmetic, it is easy to compute a 
constraint-irreducible schema of S. 

Definition 18. Let \> be a looping refinement. We call the constraint-irreducible 

extension of> the relation >' s.t. for all Si, 82, 81 >' 82 iff there exists S'l (resp. 
82) a constraint-irreducible schema of 81 (resp. 82) s.t. S'l > 82. 

Proposition 8. The constraint-irreducible extension of a looping refinement is 
a looping refinement. 

Proof. It is easy to show that if S (resp. a constraint-irreducible of 5) has a model 

I then any constraint-irreducible of 8 (resp. 8) has a model J s.t. /)i(n) = pj{n) 
for every parameter n of 8. Then the proof goes exactly the same way as in the 
proof of Proposition 7. □ 
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Generalisation. We can generalize Propositions 7 and 8: 

Proposition 9. Let > be a looping refinement, and ★ a binary relation among 
schemata s.t. for all schemata 81,82 if Si -k 82 then the satisfiability of 81 is 
equivalent to the satisfiability of 82, preserving the values of the parameters. 
The relation >' s.t. for all 81,82, 81 >' 82 iff there exists 5^,5*2 s.t. 81 * 8[, 
82 * 82 and 8[> 82, is a looping refinement. 

And we can generalize Definitions 16 and 18: d>' is called the -k-extension of i>. 

Of course this construction has an interest only if [>' catches more looping 
cases than >. It can be seen as working with normal forms of schemata w.r.t. * 
which can be better suited to d> than their non-normal counterparts. Prom the two 
previous definitions and from the requirement that satisfiability "fits well" with 
it can be observed that extensions would be seen in some other context as just 
optimisations (see e.g. the pure literal rule, or the remark about normal forms). 
In the context of schemata, those are generally more than just optimizations as 
they may be required for termination. Interestingly enough circumscribing those 
extensions to the looping rule allows us to keep a high-level description of the 
main proof system and a modular presentation of looping. 

5 Decidable Classes 

We now present some classes of schemata for which dpll* terminates. 
5.1 Regularly Nested Schemata 

Definition 19 (Regularly Nested Schema). An iteration Aj|c'7r is framed 
iff there are two expressions 61,62 s.t. C 61 < i A i < 62. [61. .62] is called the 
frame of the iteration. 
A schema 8 is: 

— Monadic iff all indexed propositions occurring in 8 have only one index. 

— Framed iff all iterations occurring in it are framed. 

— Aligned on [ei..e2] iff it is framed and all iterations have the sam,e frame 
[61. .62]. 

— Translated iff it is translated w.r.t. every variable occurring in it. 

— Regularly Nested iff it has a unique parameter n, it is monadic, translated 
and aligned on [k..rt — I] for some k,l gZ. 

The definitions extend to a node a of a tableau T by considering its schema 
8r{a). 

Notice that regularly nested schemata allow the nesting of iterations. But they 
are too weak to express the binary multiplier presented in the Introduction (since 
only monadic propositions are considered). 

Example 5. A"=i Vj"=i(^ =^ Qj) ^ A!Li ^ VlLi P' is regularly nested. 
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We divide Constraint splitting into two disjoint rules: framed- Constraint 
splitting (resp. non framed- Constraint splitting) denotes Constraint splitting 
with the restriction that A;^QTr (following the notations of the rule) is framed 
(resp. not framed). We consider the following strategy & for applying the exten- 
sion rules on a regularly nested schema: 

1. First only bamed- Constraint splitting applies until irreducibility. 

2. Then all other rules except Unfolding apply until irreducibility with the 
restriction that Expansion rewrites Pei iff ei contains no variable other than 
the parameter of the schema (notice that there is only one index because the 
schema is monadic). 

3. Finally only Unfolding applies until irreducibility, with the restriction that 
if the unfolded iteration is framed then e (in the definition of Unfolding) is 
the upper bound of the frame. We then go back to 1. 

For the Looping rule we use equality up to a shift with its pure and constraint- 
irreducible extensions (it is trivial that the order in which the extensions are 
done does not matter). It is easy to prove that & preserves completeness. 

Interval splitting and Emptiness never apply when the input schema is reg- 
ularly nested. Indeed let A;^c be an iteration of the schema. C cannot contain 
an expression of the form k.e, hence Interval splitting cannot apply. No variable 
other than i or the parameter can be free in C (due to the frame of the form 
[A;..n — I]), thus Emptiness cannot apply. However Expansion may introduce non 
framed iterations, but no variable other than i or the parameter can be free 
in C because Expansion only applies if ci contains no variable other than the 
parameter of the schema. All this shall become clear in the next section. 

5.2 Termination of DPLL* for Regularly Nested Schemata 

The proof that 6 terminates for regularly nested schemata goes by showing 
that the set {SCT-{a) | a is a node of T} — i.e. the set of schemata generated 
all along the procedure — is (roughly^) finite up to the constraint-irreducible and 
pure extensions of equality up to a shift. As SCxict) = ^Sria) ^Cs-y{a) ^l\cr{a)i 
this set is equal to {ns^(„) A Cs^(„) A f\c^(^a) I is a node of T}. So the task 
can approximately be divided into four: prove that the set of patterns is finite 
up to a shift (Lemma 9), prove that the set of constraints is finite up to a shift 
(Lemma 8), prove that the set of partial interpretations is finite up to a shift 
(Lemma 7, Corollary 3) and combine the three results thanks to Theorem 3 
(Corollary 4). 

Tracing DPLL*. Among those tasks, the hardest is the first one, because it re- 
quires an induction on the structure oiTlsr{(x)- For this induction to be achieved 
properly we need to "trace" the evolution under © of every subpattern of n5^(„). 
A subpattern can be uniquely identified by its position. So we extend dpll* 

* This set will actually be restricted to alignment nodes, see Definition 21. 
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into T-DPLL* (for Traced DPLL*), by adding to the pair {Sr{a), £r{oi)) la- 
belling nodes in DPLL* a third component containing a set of positions of n5^(„). 
Along the execution of the procedure, this subpattern may be moved, duplicated, 
deleted, some context may be added around it, some of its subpatterns may be 
modified. Despite all those modifications, we are able to follow the subpattern 
thanks to the set of positions in the labels. 

As usual, a position is a finite sequence of natural numbers, e denotes the 
empty sequence, .S1. S2 denotes the concatenation of Si and S2 and < denotes the 
prefix ordering. The positions of a pattern tt are defined as follows: e is a position 
in tt; if p is a position in n then l.p is a position in -itt, Aiic"" ^^'^ Vijc''"' 
zG{1,2}, ifpisa position in TTj then i.p is a position in tti V 712 and tti A 772. 

For two sequences Si,S2 s.t. ,S2 is a prefix of si, S2\ si is the sequence s.t. 
S2-(s2\ Si) = si. In particular for two positions pi,P2 s.t. p2 is a prefix of pi, 
P2 \ Pi can be seen as the position relatively to p2 of the subterm in position pi 
in S. 

Definition 20 (t-DPLL*). A t-DPLL* tableau T is the same as a DPLL* tableau 
except that a node a is labeled with a triple {Sr{ot), C-riaj.V-ria)) where Vrio) 
is a set of positions in lisria)- t-DPLL* keeps the behavior 0/ dpll* for S-ria) 
and C-r{a), we only describe the additional behavior for V-rip) as follows: p — >■ 
Pi, . . . ,Pk means that p is deleted and pi, . . . ,pk are added to Vria)- 

— Splitting rules and the Expansion rewrite rule leave Vria) as is. 

— Rewrite rules. We write q for the position of the subpattern of Us which is 
rewritten. We omit Emptiness as it never applies. 

• Algebraic simplification. For p> q: 

for rules where tt occurs on both sides of the rewrite 
p ^ q.{l\{q\p)) (following the notations of Definition 6), and if p 
is the position of a subpattern of w 

p — >■ otherwise 

• Unfolding. 

forp>q: p^ q.l.{q\p), q.2.1.{q\p) 

Let a, /3 be nodes of a T -dpll* -tableau T s.t. P -< a. For two patterns ^1,^2, 
we write tti -^j- 1^2 iff t^i = 115^(0,) |pi and 1^2 = n5.^(^)|p2 for some positions 
Pi e Pria) andp2 G Pr{P)- 

Notice that 6 is naturally extended to t-dpll* tableaux. 

The stripped of a t-dpll* tableau is the tree obtained by removing the last 
component (i.e. the set of positions) of each of its nodes' label. The following 
proposition is trivial: 

Proposition 10. (i) If T is a t-dpll* tableau then its stripped is a dpll* 
tableau, (ii) Conversely if T is a dpll* tableau of root (5*, 0,T), and p is a 
position in Ws, then there is a unique T-DPLL* tableau Tp of root (S', 0, T, {p}), 
s.t. the stripped of Tp is equal to T. 

Tp is called the decorated of T w.r.t. p. 
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Alignment Nodes. The set {SC-r{a) | a is a node of T} is actually not finite 
up to a shift. We have to restrict ourselves to a particular kind of nodes, called 
alignment nodes. Eventually, {S£'r{a) \ a is an alignment node of T} will in- 
deed be finite up to a shift. 

Prom now on, T is a t-DPLL* tableau whose root schema is regularly nested 
of parameter n and of alignment [fc..n — I] for some k,l G Z. 

Definition 21 (Alignment Node). A node of T is an alignment node iff it 

is irreducible by step 2 of & (see page 24)- 

Proposition 11. Let a,j3 be nodes ofT s.t. j5 is obtained by applying step 3 on 
a. (i) Every iteration that occurs in SfiP) occurs in S'r{a). (ii) Furthermore if 
a is aligned on [ei..e2] for some expressions ei, 62, then either Cst-(P) |= ei > 62 

or Csr(l3) h P'l < 62. 

Proof, (i) is trivial as only Constraint splitting can apply. It applies only if 
Csria) ^ is satisfiable (following the notations of the rule). If it is not 

the case then we have immediately €3^(0) \= ei < 62, hence (ii). Otherwise 
Constraint splitting can apply and (ii) is obvious. □ 

Proposition 12. Let a, (3 be nodes ofT s.t. j3 is obtained by applying step 2 on 
a. If an iteration Aj|c7r occurs in S']-{j3) then there is n' s.t. Ajic-Tr' occurs in 
Sr{a). 

Proof. Either ^\\ct^ comes from the rewrite of tt into tt' by rules of step 2 (in 

which case the result is obvious), or it is new and has been introduced by the 
rules. We show that the latter case is actually impossible. By observing the 
conclusion of each rule that can apply in step 2, only Expansion can introduce 
new iterations (as Emptiness and Interval splitting cannot apply), so suppose 
that Ai|c7r was introduced by Expansion. By definition of ©, C must have the 
form: S.n + ki 7^ n + A i = where 5 € {0, 1}, ki,k2 G IN (and n is the only 
parameter of the schema). But then (non framed) Constraint splitting must have 
applied on A||(^7r (it can indeed apply because if the condition of application 
was not fulfilled, then the domain of the iteration would be valid, and Algebraic 
sim,plification would have removed it). Aj|(7 7r is removed in the right branch of 
Constraint splitting, so we focus on the left branch: due to the added constraint, 
Context(6'i) 3iC (following the notations of Algebraic simplification) is valid. 
Furthermore, as i was a fresh variable when Expansion applied, tt docs not 
contain i. Thus Algebraic simplification must have applied and removed the 
iteration. Consequently Aj|c7r cannot have been introduced by Expansion. □ 

Proposition 13. Let a,j3 be nodes ofT s.t. /3 is obtained by applying step 3 
on a. If a is aligned on [ei..e2], and CsT-(a) H — ^2; then /3 is aligned on 
[ei..e2 — q\, for some q > 0. 

Proof. As Cs.j-(a) H ^1 — ^2, Unfolding can apply, and thus turn all the frames 
into [ei..e2 — 1]. Notice that we may also have Cs.j-{a) |= < 62 — g for some 
g > 0, in which case Unfolding can apply q times more per iteration. □ 
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Lemma 4. An alignment node a ofT is aligned on [k..n — l—j] for some j € IN. 
Furthermore if an alignment node (i ~< a is aligned on [k..n — I — j'] for some 
j' G IN, then j' > j. 

Proof. The result is proved by induction on the number of alignment nodes 
above a. The base case follows from the fact that the root of T is regularly 
nested and thus aligned on [k..rt — l\. By Propositions 11 (i) and 12 applying 
step 1 and then step 2 preserves the alignment. Let a' be an alignment node 
s.t. a -< a' , and there is no alignment node between a and a'. By induction a' 
is aligned on [k..n — I — j] for some j € IN. Because a' is an alignment node, 
Constraint splitting must have applied between a' and a. Thus we have either 
Csr(«) \=k>r\ — I— joi Csj-(a) \=k<n — I— j,hy Proposition 11 (ii). In 
the first case there are no more iterations and every subsequent node is trivially 
aligned. In the second case, by Proposition 13, every node after step 3 is aligned 
on [k..n — I — j'] for some j' > j. Then, once again, by Propositions 11 (i) and 
12, applying step 1 and step 2 preserves the alignment, so every next alignment 
node has the expected alignment. □ 

When an alignment node a of T is aligned on [k..n — I — j] for some j G IN, we 
call a a j -alignment node. 

Corollary 1. Every alignment node of T is regularly nested. 

Proof. We have to check that no new parameter is introduced, that the schema 
is still monadic, still translated and still aligned on [fc..n — I] for some k,l G Z. 
The alignment is an obvious consequence of Lemma 4. The "monadicity" is 
trivially preserved. The only way a new parameter could be introduced is when 
a connective binding a variable is removed. But it is easily seen that each rule 
which removes such a connective also removes the pattern in which the variable 
is bound, so no bound variable can become free. Finally the schema remains 
translated because a new arithmetic expression can only be introduced in dpll* 
via an instantiation in Unfolding (or Interval splitting with l.ei and k.e2, but it 
cannot apply). As a regularly nested schema is translated w.r.t. every variable, 
every expression occurring in it is either an integer or has the form i + k where i 
is a variable and k E 1,, Instantiating a variable in an integer of course docs not 
change the integer. Instantiating i in i + A; with an integer turns the expression 
into another integer. Instantiating i in i + A; with another expression i' + fc', turns 
the expression into \' + k' + k, which preserves the form of the expression. Hence 
in all cases translated property of the schema is preserved. □ 

Lemma 5. Let T be a tableau whose root schem,a is regularly nested of pa- 
rameter n . For every alignment node a of T, n only occurs in the domains of 
iterations. 

Proof. We have to show that indices of all literals do not contain n. Suppose that 

S'r{a) contains a literal L whose index contains n. We first show that we have 
either L /\cr(a) ^^Sria) or L" /\cr(a) ^^Sria)- Indeed suppose it is not 
the case. We show that Propositional splitting can apply, i.e. that L S-rioi) or 
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L" Cn S'r(a) (1), and neither L \Z<y f\cr(a) /^C'sr(a) nor L" Co hcria) /^C'sr(a) 
(2): 

1. Notice that this is not because L occurs in S-r{a) that L" Sr{ce) or 
L (Zd S'7-(q:): indeed if L occurs in an iteration, there can be an environment 
where this iteration is empty, so L does not necessarily occur in the corre- 
sponding prepositional realization. But as a is an alignment node, Constraint 
splitting has applied in step 1, adding the constraint that either all iterations 
were empty, or no iteration was empty. In the first case, no iteration remains 
(because Algebraic simplification must have applied in step 2) so L neces- 
sarily occurs outside an iteration, and thus S-T-{a) or L \Zn Sq-{a). 
In the second case, we know by Proposition 12, that if the non-emptiness of 
iterations was true before step 2, then it is also true after step 2, i.e. at a. 
So we have indeed L'^ Cn Sr{(x) or L \Zo Sfioi), and Propositional splitting 
indeed applies. 

2. Suppose we have either L Co /\cr{a) ^C's^(a) or L" Co Acria) ^^Sr(a)- As 
we supposed that neither L Cq /\cr{a) /\C'sr(a) nor L" Co AzzrC^) ^^Sria), 
this means that there exists a literal L' G C-]-(a) satisfying the property 
(★) that it has the same propositional symbol as L, not the same index in 
general, but this index may be the same in some environments (e.g. L = 
Pn and C-r{a) = {-Pi}). Then, as L' £ C-r{a), Expansion has necessarily 
applied on L by stating the disequality of the indices of L and L' . However 
it cannot be valid that those indices are the same, as this would entail L Cn 
/\cT{a)^^ST{a) l=n /\cT{a)^^ST{a)- thc discquality necessarily 
holds. This is easily seen that it is possible for one L', but it is not possible 
for all literals in Urict) satisfying (★). Indeed this would contradict the 
assumption that L Co /\cr{a) ^(^Sria) l\cr(a) ^^Sria) - This can 
be done formally by an induction on the number of literals satisfying (★). 
So if this was not possible then the iteration would have been turned into 
its neutral element by Algebraic simplification, and so every occurrence of L 
would have been removed. This contradicts the initial assumption on L. 

So we suppose that Propositional splitting has applied. Now, by definition of 6, 
every occurrence of L found in S-r{a) satisfies the conditions for the application 
of Expansion in 6 (as the node is translated, an index cannot contain two dis- 
tinct variables). As L Cn f\cT-(a) ^^'sria) -^"^ Acr(a) '^'^Sr(")' there are 
Li, . . . , Lq G C-y-{a) of indices ei, . . . , s.t. all of them have the same proposi- 
tional symbol as L, and Cg^^^) =^ Viei g e = is valid, where e is the index of 
L. Thus Expansion must have applied on L with all those literals, introducing 
iterations stating e ei, . . . , e Cq. The outermost iteration has thus necessar- 
ily be removed by Algebraic simplification and L must also have been removed 
before we reach step 3. □ 

Lemma 6. Each of the steps 1, 2 and 3 terminates. 

Proof. 
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— Step 1: as already seen, framed- Constraint splitting applies at most once. 

— Step 2: Propositional splitting can add new literals to the set of literals of a 
node. However this is done finitely many times, as it is easily seen that there 
are finitely many literals L s.t. L \Zn S or S. For each atom P^^ s.t. 
ei contains no variable other than the parameter of the schema. Expansion 
applies as many times as there are literals with proposition symbol P in the 
set of literals. We just saw that this last number cannot grow infinitely, and 
the number of atoms in S cannot increase; because Unfolding is not allowed 
in step 2. Finally, non-framed Constraint splitting applies as many times as 
there are non- framed iterations which is precisely the number of times where 
Expansion can apply. 

— Step 3: only Unfolding can apply. This terminates because there are finitely 
many iterations in a schema, and because if ei,e2 are expressions, no con- 
straint can entail ei < €2 — q for every q > 0. Notice that if Constraint 
splitting could apply in the meantime it would not terminate because con- 
straints could be modified and thus there could be infinitely many e s.t. 
Context(S'i) C[e/i] is valid (following the notations of Unfolding). □ 

Corollary 2. Let b be a branch ofT containing a node a then either b is finite 
or it contains an alignment node (3 -< a, i. e. an alignment node is always reached. 

Main Proof. The unfolding rules of DPLL* may introduce infinitely many dis- 
tinct literals, e.g. from P\ we generate P„, Pp-i, ■ • ■■ In principle this obvi- 
ously prevents termination, but the key point is that (as shown by Lemma 7) 
these literals will eventually become pure, which ensures that they will not be 
taken into account by the looping rule. 

Definition 22. Let S be a regularly nested schema. Let A(S) be the set {q G 
Z \ q is the index of a literal in S}, we write mmbase{S) for mm{A{S)) and 
maxtaseiS) for max(A(S')). 

Let B{S) be the set {q €'L\ \+q is the index of a literal in an iteration of S} 
(it is a subset of 1,, by limited progression). We write minj„d(S') = nim{B{S)) 
and ma,Xind{S) = max(_B(S')). 

Proposition 14. Let a, (3 be nodes ofT s.t. j3 a. Then every literal of Sfifi) 
whose index is an integer occurs in S'r{a). Any literal occurring in any node and 
whose index is an integer, occurs in the root schema S of 7". Consequently its 
index belongs to [mini,ase{S)..Ta'AXbase{S)]. 

Proof. First it easily seen that if a literal occurs after application of any rule 
other than Unfolding, then it already occurred before the application of the rule. 
This is not the case with Unfolding which can introduce a new literal, due to 
the substitution in its conclusion. Due to the restriction of Unfolding in ©, this 
substitution replaces a variable with the last rank of an iteration. Furthermore 
Unfolding only applies on alignment nodes. By Lemma 4, it is known that such 
nodes are aligned and that the last rank of their iterations depends on the 
parameter. Hence every literal that is introduced by substituting a variable with 
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this last rank, cannot have an integer as index. So if a Uteral whose index is an 
integer occurs after application of any rule; (including Unfolding), then it already 
occurred before the application of the rule. 

Finally by induction on the length of the derivation, it is obvious that any 
literal occurring in any node and whose index is an integer, occurs in the root 
schema of T. □ 

For the sake of simplicity wc assume that Propositional splitting only applies on 
-Pei,...,eji if Pei,...,ek occurs in S'r{a) (notice that we can have Pei,...,ek Co S't-{cx) 
without Pei,...,eji occurring in S-rict), e.g. Pi Co AiLi -Pi A n > 1). This simplifies 
much some technical details, and it can be proved that this is not restrictive. 

Lemma 7. Let S he the root schema of T ■ There is jo € IN s.t. for every j- 
alignment node a ofT, if j > jo then every literal in Cf{a) of index n-\-q where 
q < minindiS) - l-j or q > maxj„rf(5) - l-j is pure in Sr{a). 

Proof. Let L e /^^-{a). L is pure in S-r{a) iff L'^ [Z^o S-r{a), i.e. iff 3n{Cs^{a) A 
</'L^ (>5't(q))) (where (f>L^{STia)) is defined just before Proposition 1) does not 
hold, by Proposition 1. It is easily seen that, in our case (for the sake of simplicity 
we assume L = Pn+g, the case -"Pn+g is similar): 

MSria)) =\/{3\{k<\A\<n-l-jAn+q = \+q') | -Pi+,/ C 5r(a)} 

v\/{n + g = g'|-^,' C5r(a)} 

V \/{n + q=n + q'\ ^P„+g, c Sr{a)} 

But as a is an alignment node, if there were literals -^Pq' C S'7-(q:) (resp. 
—'Pn+q' C ^^(q:)), then Expansion would have applied. Thus either such lit- 
erals would have been eliminated or the corresponding constraint n + q = q' 
(resp. n + q — n + q') would not hold in Cs^{a)- So it only remains to prove that 
the following does not hold: 

3n (Cs^(a) A \/{3\{k <\A\<n-l-j An + q=\ + q') \ -^P^+g, C 5r(a)}) 

This amounts to: 

3n (Csr(a) A \J{k + q'<n + qAn + q<n-l-j + q'\ ^B+q, C 5'r(a)}) 

For every q' s.t. -1/^+^' □ S-T-{a), we have q' < maxind{S), by definition of 
maxind{S) ■ So if g > maxindiS) — I — j, then the above formula does not hold 
and we get the result. 

Now if g < mhiind{S) — l—j then L is not pure in general, however we can find 
jo € IN s.t. if j > jo then it is actually impossible to have q < miuindiS) —l—j- 
We show that literals s.t. q < minj„d(5) — l—j can only be literals of the root 
schema S, so once all of them are pure, no other literal s.t. q < mini„d(5') — 
I — j will be introduced. Therefore we take jo to be the minimal j s.t. n + g > 
rt + I — j + maxind{S). First notice that, as L has been introduced in C-r{j3) 
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by Propositional splitting at some node /3, and thanks to the restriction made 
on Propositional splitting just before the lemma, L was occurring in S']-{j3). 
Now either this literal was already occurring in the root schema or it has been 
introduced by an Unfolding. As a is aligned on fc..n — / — j, all literals that have 
been introduced so far by Unfolding have an index of the form n — I — j' + q' 
where j' < j and q' S B{S) (see Definition 22 for the definition of B{S)). 
As minindiS) = min(i?(5)) and q < miuindiS) — I — j, L cannot have been 
introdu(x;d by Unfolding. Thus L is indeed a literal of the root schema. Hence 
we can take jo as above (informally, iterations will be unfolded until all literals 
of the root schema are pure, when this is done we have our jo)- □ 

Corollary 3. Let S he a regularly nested schema of parameter n and T a tableau 
of root schema S, then |A£7-(a) I ^■^ '^'^ alignment norfej is finite up to the 
pure extension of equality up to a shift on n. 

Proof. It amounts to prove that C := /\{L G ^^-{a) | a is an alignment node, 
L is not pure in Sr{a) A A£7-(a)} finite up to a shift on n. For every propo- 
sition symbol P and every q £ [minind{ST{<^))--'^i>^^ind{ST{<^))], we define the 
set C{q,P) := {Pn-i-j+g £ Cr{a) | a is a j-alignment node,j > jo}. D{q,P) 
denotes the same set with -i Pn-i-j+g- E is the set of literals that occurred 
before a j-alignment node with j < jo. Finally F := {Pg G jCfict) \ Q G 
Z, a is a j-alignment node, j > jo}. It is clear that: 

C=\JC{q,P)u\jD{q,P)UEUF 

C{q,P) and D{q,P) are clearly finite up to a shift on n. As there arc finitely 
many P and q, so are the sets lj<j pC{q, P) and IJ^ p D{q, P). E is finite. Finally 
F is finite because all its elements are literals of the root schema S thanks to 
Proposition 14. Consequently C is indeed finite up to a shift. □ 

Lemma 8. Let S be a regularly nested schema of parameter n and T a tableau 
of root schema S, then {Cs.j-(a)\c( is an alignment node} is finite up to the 
constraint-irreducible extension of equality up to a shift on n . 

Proof. As Interval splitting never applies, the only rule that introduces con- 
straints is Constraint splitting. For a framed- Constraint splitting, the only con- 
straints that may be introduced in an alignment node are of the form Vi-i(fc < 
i A i < n — i — j) or 3\{k < i A i < n — / — j), for some j £ IN. Non-framed Con- 
straint splitting introduces only constraints that come from the emptiness of an 
iteration added by Expansion. Thus those constraints have the form e* / where 
★ £ {=, ^}, e comes from a literal in Sfict) and / comes from a literal in £-r{a). 
Thus if we are in a j-alignment node and e contains n then e belongs to the set 
[n—l~j+minindiS)..n—l—j+maxind{S)] by Lemma 7; if e docs not contain n then 
it belongs to the set [min(,ase('S')-- max(,ase(<S')] by Proposition 14; and / belongs 
to the set [mmbase{S).. max-baseiS)] U [n - / - j -|- minj„d(S')..n - I -\- maxj„d(S')]. 
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We now prove that the set of added constraints is finite up to the constraint- 
irreducible extension of equality up to a shift. We distinguish various cases de- 
pending on the shape of the introduced constraints. Finally, we will combine 
those results thanks to Theorem 3. 

— Framed constraint 3i(A; < i A i < n — I — j): the set of generated constraints 
of this form is: 

3\{k < i Ai < n - /) 

3i(A; < i A i < n - /) A 3\{k < i A i < n - ^ - 1) 

3i(A: < i A i < n - A 3\{k <iAi<n-/-l)A 3i(A; < i A i < n - ^ - 2) 
etc. 



but wc can remove the redundant constraints and obtain: 

3i(A; < i A i < n - 
3i(A; < i Ai < n - 1) 
3i(A; < i Ai < n - /-2) 
etc. 



which is trivially =^"-finite. 

— Framed constraint Vi-i(fc < i A i < n — Z — j): Once this constraint is added, 
there are no more iterations in the schema, so no other constraint of this 
form will be added. Thus the set of all constraints of this form that may 
be added in all the nodes is {Vi^(fc < i A i < n — I — j) | j G IN} which is 
obviously finite up to a shift. 

— Non- framed constraint with e € [n — l—j + mini„d {S)..n — l—j + maxj„d (S)] 
and / € [n — I — j + mmind{S)..n — I + maxj„d(5')]: then e ★ / is either valid 
or unsatisfiablc. If it is valid then it is of course; redundant so wc do not even 
need to consider it. If it is unsatisfiable then, by constraint-irreducibility, 
we can consider that it is _L. When an unsatisfiable constraint is added, the 
branch is closed, so no other constraint may be added. Thus the set of such 
constraints generated in this case is just {-L}, trivially finite. 

— Non-framed constraint with e € [mmbase{S).. (5)] and / G [n — / — 
j + mmind{S)..n-l-j-k + (5)], i.e. the considered set of constraints 
is: 

ee [minba.se(S').. max6„,e(S')] ^ 
/ e [n - / - j + mmnd{S)..n - I - j - k + maxf,ose(S')] > 

jelN J 

It is a finite union of sets of the form {n — j + q \ j G IN} where 5 € Z. All 

such sets arc ^"-finite, so A is =^"-finitc. Then [mhihase{S)..'niaxbase{S)] is 
obviously =|"-finite. so we get the result by the third corollary of Theorem 3 
(with deviation as no expression in [mmbase{S)--'i:nax.i)ase{S)] contains n). 
Notice that the full interval on which / ranges ([n — Z — 7 + mmind{S).-n — 
I + ma,Xind{S)]) has been split on purpose, so that A can indeed be a finite 
union of ^"-finite sets. 
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— Non-framed constraint with e € [min{,ase('S').. niaxhase(<S')] and / G [n — I — 
j-k + max-baseiS) + l..r\ — I + maxind{S)], when * is — : this constraint states 
e = /. However we know that k<n — I— j,sor\>k + l+ j.Ase = f,we 
have n = n + e — /. So n + e — f>k + l+ j, thus / <n + e — fc — ^ — j. As 
e < maxbaseiS), we obtain / < n + inaxi,ase{S) — k — I — j. This contradicts 
the above lower bound, so e = / is actually unsatisfiable and we get the 
result as in the third case. 

- Non-framed constraint with e € [min^ase (5') • (5)] and / G [n - ; - 
j — k + m&xi)ase{S) + l..n — I], when -k is 7^: This is the hard case, indeed 
we can easily obtain a set which is not =|"-finite. even with the constraint- 
irreducible extension. For instance the infinite set: 

etc. 

is not ^"-finite and, contrarily to the previous cases, we cannot use the 

constraint-irreducible extension to simplify it. However at node a, Cs^(a) 
entails n — I — j > k (because a is aligned on [k..r\ — I — j]) and thus n — 
I — j — k > 0. On the other hand f>n — I— j — k + m.Bx.^,ase{S) + 1, thus 
/ > max;,ase(5') -l- 1. So, as e < m.ax:base{S)'- / > e. Hence the constraint 
/ 7^ e is finally redundant. 

Finally it is easily seen that combining all different cases preserves finiteness up 
to a shift by Theorem 3. Simply because by inspecting all the cases, one can 
sec that all the expressions of a constraint inserted at a j-alignmcnt node, are 
of the form n — j -|- g for some q belonging to a finite set. So all the cases are 
"synchronized" . □ 

Lemma 9 (Main Lemma) . Let S be a regularly nested schema of parameter 
n and T a tableau of root schema S, then {ng^(Q,)|a is an alignment node} is 
finite up to a shift on n. 

Proof Wc prove that |7r ns^(a) \p '^r^ " alignment node, tt is a patternj 
{Tp is the decorated of T w.r.t. p) is finite up to a shift on n for every position 
p in Us^(^a)- We get the intended result when p = e, indeed it is easily seen 
that this position is invariant by t-dpll* hence if it is s.t. 'n.s^{a)\e '^7; tt then 
TT = ns^(„) (as Te is the decorated of T w.r.t. position e, a may indifferently be 
considered as a node of T or a node of 7^). 

Let IlsT-(a) \p be a subpattern of Ilsj-(a) sit some position p and n' a pattern 
s.t. Ilsj-{a)\p '^Tp ^' is the result of applying some transformations to some 
other TT s.t. Ils-j-(a)\p '^Tp ^- Those transformations may be a combination of: 

(i) identity (if no rule applied to the subpattern between two alignment nodes), 

(ii) rewrite of a pattern above vr, (iii) rewrite of a subpattern of tt, (iv) rewrite of 
TT itself, or (v) instantiation of a variable (in case Unfolding applies somewhere 
above tt). We have to check that none of those transformations can generate an 
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infinite set of new schemata. This is trivial for (i). (ii) is invisible when tracing 
^ST{a)\p trace follows the moves of Ils^(a)\p) and thus is an identity as 

far as we are concerned (notice that this is why tracing was designed for). For 
the other cases the proof goes by induction on the structure of tt: 

— Suppose TT is a literal of index e. 

(iii) Impossible. 

(iv) Only Expansion can rewrite a literal. This is possible only if no variable 
other than n occurs in e, in which case Algebraic simplification we apply 
then. As seen multiple times, the introduced iterated connective will 
necessarily bo deleted in the next alignment node (either by removing 
the full iteration, or by removing only the connective) . Hence no schema 
is generated. 

(v) This is possible only if there is a variable other than n in e (as n is never 
instantiated) in which case n is turned into a literal whose index does 
not refer to a variable other than n, then the expansion and algebraic 
simplifications rules apply as in Case (iv). 

— Suppose TT = TTi A 7r2 where A G {A, V}. 

(iii) It implies that there are 77^,772 s.t. tti '^7-1 p ^1 ^2 '^7-2 p ^2- By 
Lemmata 4 and 5 all expressions involving n in both tti and 7r2 have the 
form n — l—j hence S{tti , 112) = (where S denotes the deviation, Section 
4.1). By induction the sets of possible tt[ and 772 are finite up to a shift, 
so we can apply the first corollary of Theorem 3 and conclude. 

(iv) The only possible rule is Algebraic simplification in which case the 
result is obtained by induction. 

(v) For every substitution a, wa = ma A 7r2cr, so if tt ttct then tti ^ ttict 
and 7r2 7r2(T, and we conclude by induction. 

— Suppose TT = A|lr^~-' T] where A G {/\, \/}, j G IN. By Lemma 4, we know 
that every iteration must have this form. 

(iii) This is handled as in the previous case except that we use the second 
corollary of Theorem 3 instead of the first one. 

(iv) The only rewrite can be Unfolding. For every p e IN, when Unfolding 
applies p times, tt is turned into 771 A ... A r^p A AjlT^"''"^ rj. But tt r]i , 
. . . , TT rjp so by induction hypothesis on tt they all belong to the 
same ^"-finite set. So if p is big enough, there are patterns of the form 
r]q that will loop on each other {q e l.-p). Formally there is go € IN s.t. 
for every p G IN and every 5 G if (7 > go then there is a q' < qo 
s.t. r]q rjqi . By Lemmata 4 and 5, only iterations contain n and all 
of them are aligned, thus there is actually no shift on n meaning that 
Tjq = Tjqi . Heucc, by Algebraic sim,plification, rji A ■ ■ ■ A rjp simplifies into 
771 A • • • A r^qo at worst. Finally all schemata obtained from tt are of the 
form rji A . . . A rjqg A A"~l~-'~^ rj. There are finitely many such schemata 
by induction hypothesis on rj (and thus on 771 , ... , rfq^ ) , by the first and 
second corollaries of Theorem 3 (the deviation is null), and because go 
is a constant. 
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(v) As n — I — j does not contain other variables than n it is not affected 
by the instantiation. All bound variables are assumed distinct so the 
instantiation cannot replace i. Thus, writing a for the substitution, ira = 
A"^l^-' {i](7), and we conclude by induction. □ 

Corollary 4. Let S be a regularly nested schema of parameter n and T a tableau 
of root schema S, then {SCfioi) \ ct is an alignment node} is finite up to the 
constraint-irreducible and pure extensions of equality up to a shift on n . 

Proof. This follows from Definition 8 and from Theorem 3 applied to the results 
of Corollary 3, Lemma 8 and Main Lemma. Lemma 7 ensures that the deviation 
is lower than ma.Xind{S) — inmind{S). □ 

Theorem 4. & terminates on every regularly nested schema. 

Proof. It easily follows from the previous Corollary and the fact that & uses the 
pure extension of equality up to a shift. Corollary 2 is also required to ensure 
that it is indeed sufficient to restrict ourselves to alignment nodes. □ 

5.3 Extensions 

In the light of the previous proof, we can easily extend the class of regularly 
nested schemata to broader terminating classes. First we can relax a little the 
alignment condition: 

Definition 23. A schema S is: 

— down-aligned iff it is framed and the frames of all iterations have the same 
lower bound k E 1, and have an upper bound of the form n — I, where I G Z. 

— up-aligned iff it is framed and the frames of all iterations have the same 
upper bound n — I, where I G Z and have any k gZ as their lower bound. 

— broadly aligned iff all iterations of S have frames of the form [ki..n — fe], 
ki,k2 e z. 

Theorem 5. & terminates on every schema which is monadic, of limited pro- 
gression and down- aligned. 

Proof. (Sketch) Such a schema is almost regularly nested except that down- 
alignment is substituted to alignment. It is easily seen that, after the first passing 
in step 2, cither the constraint k<n — lork>n — I has been added to the 
node, where I = mm{l' \ n — V is the upper bound of an iteration in S}. If it is 
k < n — I then it implies that k < n — I' for every > I. In step 3, all iterations 
arc imfoldcd imtil no longer possible. Hence here, all iterations will be unfolded 
until their upper bound reaches n — ^ — 1 (even those of frames [A:..n — V], I' > I). 
As a consequence all iterations are now aligned and we are back in the same 
case as for regularly nested schemata. We call this phase, where all iterations 
progressively become aligned, the rectification. Rectification terminates because 
of a similar argument to the one proving the termination of Step 3 in the proof 
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of Lemma 6. In the case where k > n — I has been added, it is easily seen 
that there will be finitely many unfoldings of iterations of frame [k..n — I'], 
I' > I (actually there will be at most m — V such unfoldings per iteration, where 
m = max{Z' | n — is the upper bound of an iteration in S}) then all iterations 
will be empty. □ 

Theorem 6. 6 terminates on every schema which is monadic, of limited pro- 
gression and up-aligned. 

Proof. (Sketch) In this case; schemata will, in general, never become aligned: 
suppose we have two iterations ^"ij.^ n and Vj^JT^^ n' with ki < k2. Then any 

constraint ki > n — l—j implies k2 > r\ — I — j — ki + k2 so when A"~^^ it will be 

unfolded until n — l — j, ^"Zk2 ^^^^ unfolded until n — Z — j — fci + /c2 • We will 

never reach alignment. However it is easily seen that the difference between two 
upper bounds (here k^ — kx) will always remain lower than the deviation of the 
original schema. Hence slight modifications in the proof of Main Lemma enable to 
conclude. The hard point lies in the application of Algebraic sim,plification in the 
item (iv) of the iteration case, indeed now we cannot conclude from 7rj_^_|_^ 
T^'f-k+q' ttiat TT'f_i,^^ = T^'f_k+qi as there is no alignment. However as the "mis- 
alignment" is confined to a finite set, the sequence {'k'^_j^j^-^ A • ■ • A 'K'f)keTR still 
cannot grow infinitely. □ 

Theorem 7. S terminates on every schema which is monadic, of limited pro- 
gression and broadly- aligned. 

Proof. (Sketch) This proof is close to the previous one. Actually we do not really 
need the fact that the upper bound is the same in the previous proof. □ 

Definition 24. A schema S is: 

— variable-aligned on [ex.. 62], for two linear expressions ei, 62 iff every iteration 
of S is framed either on [ei..e2], or on [ei..i + q] where i is a non-parameter 
variable and g G Z. 

— simply variable-aligned iff it is variable-aligned and q = 0. 

— positively variable- aligned iff it is variable-aligned and q>0. 

— negatively variable- aligned iff it is variable-aligned and q < 0. 

— broadly variable- aligned iff all iterations of S have frames of the form [fci..n — 
^2], or [ki..\ — k2], where k\,k2 G Z. 

An iteration of frame [ei..i -|- q\ is called an i-iteration. Let & be the strategy & 
except that Emptiness is disallowed. 

Theorem 8. & terminates on every schema which is monadic, of limited pro- 
gression and simply variable- aligned on [k..r\ — l\ for some k,l gZ. 

Proof. (Sketch) It is easily seen that variable-alignment is preserved all along the 
procedure (this fact plays the same role as Lemma 4): indeed, the only way an 
i-iteration Aj^j. n may be unfolded is by unfolding the iteration binding i (which 
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necessarily exists as i is not a parameter). Let us write it Vf^^, tt', e is either a 
non-parameter variable or a linear expression of the form r\ — I — j. When this 
iteration is unfolded, it is turned into VfZj!: tt' V 7r[e/i]. Wc have now two copies 
of Aj^j. tt: one inside VfL^^Tr', and one inside 7r[e/i]. The last one has actually 
been instantiated: A?^j.7r. As this iteration has the same frame as Vf^^Tr' it 
also meets the requirements to be unfolded, which indeed happens, turning the 
iteration into A?r^} tt. This new iteration is framed on [k..e — 1] like every other 
non i-iteration in the node. As Emptiness is disallowed all non-instantiated i- 
iterations are kept as is. Finally there is a finite number of such instantiations 
as each time the number of iterations below the observed iteration decreases. As 
a consequence all generated schemata arc translated w.r.t. n, and the proof is 
then very similar to the regularly nested case. □ 

Theorem 9. &' terminates on every schema which is monadic, of limited pro- 
gression and positively variable- aligned on [k..n — I] for some k,l G 1j. 

Proof. (Sketch) It is a combination of the previous proof and proof of Theorem 5. 
Except that now rectification not only occurs at the beginning of the procedure 
but each time an i-itcration is unfolded. Indeed each time i is instantiated in an 
i-iteration A'-t^l tt, this iteration has to be rectified. There are still finitely many 
schemata that are generated as instantiating i-iterations can only lead to finitely 
many different iterations up to a shift. □ 

Theorem 10. &' terminates on every schema which is monadic, of limited pro- 
gression and negatively variable-aligned on [k..n — I] for some k,l £Z. 

Proof. (Sketch) It is a combination of the proofs of Theorems 8 and 6. Except 
that now the maximum deviation used in Theorem 3 will not be the deviation 
of the original schema S, but rather the deviation of S in which all iterations 
have been unfolded once. Indeed schemata arc not aligned anymore, even after 
rectification: when Step 2 terminates, the constraint k < n — / — j where / = 
min{r I n — r is the upper bound of an iteration in S} has been added. Hence 
if an i-iteration A-"^ tt, q > 0, is instantiated, we get A"~l~-'~'' tt which cannot 
be unfolded as nothing ensures that k < n — I — j — q. So we have to deal with 
mis-alignment. As in the proof of Theorem 6, it is easily seen that this is not a 
problem as we have a maximum deviation as noted above. □ 

Finally the following theorem is obtained by combining all previous proofs: 

Theorem 11. & terminates on every schema which is monadic, of limited pro- 
gression and broadly variable-aligned. 

6 Conclusion 

We have presented a proof procedure, called dpll*, for reasoning with proposi- 
tional formula schemata. The main originality of our calculus is that the inference 
rules may apply at a deep position in a formula, a feature that is essential for 
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handling nested iterations. A looping mechanism is introduced to improve the 
termination behavior. We defined an abstract notion of looping which is very 
general, then instantiated this relation into a more concrete version that is de- 
cidable, but still powerful enough to ensure termination in many cases. 

We identified a class of schemata, called regularly nested schemata, for which 
DPLL* always terminates. This class is much more expressive than the class of 
regular schemata handled in [2] . The principle of the termination proof is (to the 
best of our knowledge) original: it goes by investigating how a given subformula 
is afltected by the application of expansion rules on the "global" schema. This 
is done by defining a "traced" version of the calculus in which additional infor- 
mation is provided concerning the evolution of a specific subformula (or set of 
subformulae, since a formula may be duplicated). This also required a thorough 
investigation of the properties of the looping relation. We believe that these ideas 
could be reused to prove termination of other calculi, sharing common features 
with DPLL* (namely calculi that operate at deep levels inside a formula and that 
allow cyclic proofs). 

We do not know of any similar work in automated deduction. Schemata 
have been studied in logic (sec e.g. [11,3, 17]) but our approach is different from 
these (essentially proof theoretical) works both in the particular kind of tar- 
geted schemata and in the emphasis on the automation of the proposed calculi. 
However one can find similarities with other works. 

Iterations can obviously recall of fixed-point constructions, in particular in 
the (modal) /x-calculus''' [5] (with AiLi 4' translated into something like ^X.cj) A 
X). However the semantics are very different: that of iterated schemata is re- 
stricted to finite m,odels (since every parameter is mapped to an integer, the 
obtained interpretation is finite), whereas models of the /U-calculus may be in- 
finite. Hence the involved logic is very different from ours and actually simpler 
from a theoretical point of view: the y^-calculus admits complete proof proce- 
dures and is decidable, whereas schemata enjoy none of those properties. The 
relation between schemata and the /i-calculus might actually be analogous to 
the relation between finite model theory [13] and classical first-order logic. The 
detailed comparison of all those formalisms is worth investigating but out of 
the scope of the present work. Other fixed-point logics exist that can embed 
schemata such as least fixpoint logic [16] or the first-order /i-calculus [18]. How- 
ever they are essentially studied for their theoretical properties i.e. complete or 
decidable classes are seldom investigated. Actually the only such study that we 
know of is in [4] and iterated schemata definitely do not lie in the studied class 
nor can be reduced to it. 

One; can also translate schemata into first-order logic by turning the itera- 
tions into (bounded) quantifications i.e. AlLi (resp. Vh=i 0) becomes Vi(l < 
i < n ^ 0) (resp. 3i(l < i < n/\<j))). This translation is completed by quantifying 
universally on the parameters and by axiomatizing first-order linear arithmetic. 
Then automated reasoning is achieved through a first-order theorem prover. As 
arithmetic is involved, useful results would probably be obtained only with in- 

® In which many temporal logics e.g. CTL, LTL, and CTL* can be translated. 
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ductive theorem provers [9,7]. However there are very few decidability results 
that can be used with such provers. Moreover most of those systems are designed 
to prove formulae of the form \/x.(j) where (j) is quantifier-free. The translation 
sketched above clearly shows most translated schemata do not match this form. 
Actually this is already the case of any schema involving only one iterated dis- 
junction. Indeed adding existential quantification in inductive theorem proving 
is known to be a difficult problem. Notice finally that this translation completely 
hides the structure of the original problem. 

Finally, as we have seen in Section 4, decidability of regularly nested schemata 
lies in the detection of cycles during the proof search. This idea is not new, it 
is used e.g. in tableaux methods dealing with modal logics in transitive frames 
[14], or /i-calculi [8]. However our cycle detection is quite different because we 
use it to actually prove by induction. Notice in particular that, contrarily to 
the mentioned tableaux methods, we cannot in general ensure termination. It 
is more relevant to consider our case as a particular instance of cyclic proofs, 
which are studied in proof theory precisely in the context of proofs by induction. 
Both [6] and [20] show that cyclic proofs seem as powerful as systems dealing 
classically with induction. A particular advantage of cyclic proofs is that finding 
an invariant is not needed, making them particularly suited to automation. This 
is also extremely useful for the formalization of mathematical proofs, because it 
allows one to express a potentially infinite proof steps sequence, thus avoiding the 
explicit use of the induction principle. This last feature has been used to avoid 
working with more expressive logical formalisms [15]. However once again studies 
on cyclic proofs are essentially theoretical and no complete class is identified at 
all. 

Future work includes the implementation of the dpll* calculus and the in- 
vestigation of its practical performances^. It would also be interesting to extend 
the termination result in Section 5 to non monadic schemata so as to be able to 
express e.g. the binary multiplier of the Introduction. Extension of the previous 
results to more powerful logics (such as first-order logic or modal logic) naturally 
deserves to be considered. Finally the proof of Theorem 4 seems to be a powerful 
tool. We hope that the underlying ideas could be useful in other proof systems. 
In particular investigating more thoroughly the looping relation could give rise 
to interesting connections. 
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A An Example of a dpll* Proof 



We want to prove that A + = A where + denotes the addition specified by the 
schema Adder described in the Introduction. A SAT-solver can easily prove this 
for a fixed n (say n = 9). We show how to prove it for all n G IN with dpll*. This 
simple example has been chosen for the sake of conciseness, but commutativity 
or associativity of the adder could have been proven too. 

We express the fact that the second operand is null: 

i=l 

and the conjecture i.e. the fact that the result equals the first operand: 



i=i 

We negate the conjecture in order to prove it by refutation: 



i=l 

Finally we want to refute: 

n n 

Adder A f\^Bi a\/ A; ® S; 
i=i i=i 



The following figure is only a sketch of the real tableau: several rules are often 
applied at once, denoted by vertical dots labelled with the names of the used 
rules. We use the conventions that closed leaves are marked by x , leaves looping 
on a node a by C (a). Changed parts of a node are underlined, "." means "same 
value as parent node's" . We recall that Si <^ S2 and Si © ^2 are shorthands 
for {Si S2) A (52 => ^i) and -i(5i <;=> ^2) respectively. All bound variables 
should be renamed so as to have different names, this is not done for the sake of 
readability. 
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i.,{A„,^}) 

• (Expansion) 

(2) 



(1) 

(A"=i Sum; A V"=i ® Si A ^Ci 
A Afci Carry, A Ai=i -iBi A n > 1, 0) 

■ ( Unfolding) 

iA"=i Sum, A Sum„ A \/"~^ A, ® S\ V (A„ S„) A -.Ci 
A A;=i Carry; A Carry„ A ^B; A -.B„ A n > 1, .) 




(3') 



(3) 



(Expansion) 



(2') 



• ( Expansion) 

iA;=i Sum; A Sttm„ A V" -4, © S, 

V(Aj|„^„Aj = -^n ffi Aj|„^„Aj = Sn) A -Cl 

A"=ri^ Carry; A Carry„ A A"j/ ~'Bi A A n > 1, .) 



nplification) 



(Ai=i Sum; A Sum„ A V"J"i^ A, © S, A -.Ci 
A"r/ Carry; A Carry„ A A"ri ^Bi A ^B„ A n > 1, .) 



(• • • A n - 1 > 1, .) 




(A"_i Sum; A Sumn A -L A -^Ci 
A"ri' Carry; A Carry„ A A"Ji^ ^B; A ^B„ A n - 1 < 1 , .) 



(Propositional splitting, Expansion \ 
and Algebraic simplification; so that | 
Sumn and Carrj^n are removed; I 
branches trivially closed are omitted/ 

0(1) 



(Algebraic simplification) 



(2) 

iA;=i Sum; A Sum„ A V-j/ A; © Si V ( Aj|n^nAj=o A„®\J^^„^„^^^oS„ ) A -Ci 
Afc/ Carry; A Carry„ A Ati' "'Bi A -.B„ A n > 1, .) 

■ (Algebraic simplification) 

(A"=i Sum; A Sum„ A -iCi A A"Ji^ Carry, A Carry„ A /\"~^ ^B; A ^B„ A n > 1, .) 



(.,{A„,^S„,B^}) 

■ / Expansion on B^, 

■ \Algebraic simplificat 




i.,{A„.^S„,^B„,Cr,}) 

(. A n -f^C o"^) 



(■ • ■ A Sumn A . . . , 

{An,^Sn,^Bn,^Cn}) 



/ Expansion, \ 
V^igebraic simplification) 



f Expansion on ""O]^ , ^ 
l^ijebraic simplification J 



(•■• A±A..., 
{A„,^S„,^B„,^C„}) 



(^Jgefcraic simplification) 
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(4) 

(/\"=i ^ Surrir, A -.CiA 

A"=i Carry; A Carry„ A A"r/ ^B; A -.B„ A n - 1 > 1 , .) 

I (one Unfolding) 

{A"=i Sum; A Sum„ A ^CiA 
Afci^ Carry; A Corry„_i A Carry„ A A"j/ -'Si A -iS„ A n - 1 > 1, .) 

[Expansion on Cn in Car-r^n — 

n ) 



\ Algebraic simplification 



{■■■A f (An-l A Bn-l) V (Cn-1 A V (Cn-1 A Bn-l) ) A • • • A n 



1 > 1,.) 




(.,{.. .,B„-i}) 



(.,{.. .,-S„_i}) 



' Unfolding of AjLi 

Expansion on — 
^ Algebraic simplification 



(Propositional splitting, Expansion, Algebraic simplification;\ 
branches trivially closed arc omitted ) 



(. A n - 2 > 1, . . . ) 




(. A n - 2 < 1 , . . .) 



{ Unfolding) ■ 

0(4) 



/ the constraint imposes n = 2, hence Cj^_i—Ci \ 
I — contradiction with -.Ci ) 

^formally: Expansion on C-^ , Algebraic simplification J 

X 



(2') and (4') are very similar to (2) and (4). 
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